Now this is a very subjective term as “Right” to each is quite different. More so, the subject “Information Security” by itself is quite a dynamic and an evolving term. Here, any measure stick with constant attributes may not provide a true insight for the choice of Technology. However, certain parameters of the selection process can be generalized for operational efficiency.
(Read more: My Key Learning While Implementing Database Security)
Based on my experience I would recommend the following for any CISO to help choose the right Technology:
- Understand Your Line of Business
- Understand the Organization’s Core Competency
- Understand Business Drivers
- Understand How things work within your organization
- Understand how to get things done within your organization
- Get a Maturity Self-Assessment done for all domains of Information Security
- Work closely with Technology and Business Teams to chalk out how you can transform Information Security weakness to business enablers
- Get a Senior Management Buy In for your Information Security Roadmap
- Prioritize Tool/Technology procurement and rollout
- Track your progress and keep Management updated with the progress.
Once you have completed task mentioned in points 1 to 10 you many need to focus over tool and partner selection.
Here the process could be as follows:
- Choose the technology domain you would want to address
- Check to see if there exists a Gartner or Forrester report
- Chalk down your wish list
- Float your wish list via RFPs to all partners
- Assess all partner responses against a predefined attribute set as follows:
(Read more: Database Security Vendor Evaluation Guide)
Once done these steps would help you narrow down your choice. However, for the final decision you would need to make a choice by yourself and here are few questions that you should have clear answers for you to choose the right Technology and Partner:
- Is the technology completely New or does the technology proposer have a demonstrative model in place?
- Does the technology Partner have a support system in your geographical region?
- Can the technology partner offer an Opex model along with Capex?
- Pull out reference work to understand what can go wrong and how better you can manage technology and project issues.
- Check to seek if you have in-house capabilities to manage the New Technology.
- Check if Technology partner presents tool benefits by way of Business outcomes.
(Watch more : 3 causes of stress which we are unaware of !)
I trust, there is no substitute to experience. However, with sharing through common body of knowledge can make technology selection lucid and succinct.
I strongly recommend every Information Security professional to love their Job first. Be spiritual – Meditation, Service and Knowledge are profound pillars. This will help one achieve clarity of thought and vision. Without these, no matter how religiously you follow best practices, task accomplishment may be a challenge.
-Sagar Karan, CISO, Fullerton India Credit Company Ltd. tells us How Should a CISO choose the right Anti-Malware Technology