Procuring enterprise security technology is an involved process that requires numerous steps to ensure it goes smoothly, said Ricardo Lafosse, CISO for Cook County, Ill., during the recent SC Congress event in Chicago.
Many of Cook's services rely heavily on secure data, including property tax, court and public hospital systems. In addition, the nation's second largest county must consider a large number of regulatory considerations when adding any new security technologies, including HIPAA, the Criminal Justice Information System, IRS restrictions, the Personal Information Protection Act, and various other statutory requirements.
Lafosse offered nine tips for CISOs. While geared toward the public sector, the suggestions will work well in the private sector too.
Before Procurement, Ask Yourself Why
Before purchase, identify why you need the technology and how you came to that conclusion, Lafosse advised. For government, you must also have a proper contract vehicle, such as an RFP. There are no direct buys.
"You always want to buy the shiny new toy," he said. "They look cool, but you don’t just go out and buy it."
Ask Peers for Advice
Lafosse recommended conducting diligent research, including third-party reviews and discussion with industry peers.
"What’s really key are your peers," he said. "I cannot stress this enough. Everyone deals with these [security] issues. In the Chicago area, we have a lot of great resources. We have our CISO group and a multi-state group. It is key to be a part of it because you can bounce ideas off everyone in an informal process. You get that actual first-hand experience from your peers."
Perform Needs Analysis
Start with a needs analysis before going out to the market, Lafosse said. Consider whether you have overlapping technologies. There is nothing wrong with overlapping controls, but you need to be wary -- especially if you are fighting for budget dollars -- that you’re not asked to use the existing technology.
Consider Staff, Integration Requirements
Ensure that the new technology provides a good operational fit, he said. No technology is effective without staff to administer and manage it. "You don’t want shelfware."
It’s also imperative that the new technology integrates with existing security tools, such as the firewall and other ancillary security controls, Lafosse stressed.
Use Plain Talk, Examples When Asking for Money
To win the budget argument, Lafosse recommends presenting new technology from this angle and in plain terms: "This technology will mitigate threat X for critical asset Y."
He also suggested providing costs of possible incidents that could result from the lack of a desired technology, referring to reports from the Ponemon Institute and other respected sources.
"Unfortunately, we have a lot of examples," he said. "Use those to your benefit as much as you can from a budgetary perspective. Demonstrate operational efficiencies when looking for a new product. For example, if you are going to implement product X, you will reduce the help desk time to remediate by 20 percent. Having those rough numbers goes a long way."
Make Plans, Stay Positive
Lafosse discussed some of what he went through when adding new network access control for Cook County. Though the county used a product that provided some of the capabilities of the new system, it was very inefficient. He based his proposal for the technology on the county’s information security plan.
"It is key to have some sort of a plan instead of pulling something out of thin air," he said.
Lafosse admitted that he used to make the mistake of leading with the negative aspects of a project before providing the positives. Providing the pros before the cons is more likely to get a project approved. "Give the good stuff up front; hopefully they won’t listen to the bad part," he said.
Illustrate Your Business Case
"Re-emphasize why you are making this purchase," he added. "For us, we used the figure from Ponemon of $154 per breach. The network access control was also going to allow people to self-service."
The self-service capability was critical because Lafosse has only three people in his department.
"One of the key attributes for any new procurement is automation," he said. "The security controls need to share information with each other. The more automation, the easier us for us to protect our network."
The technology also had to have automated enforcement for access because the county receives open source feeds from the FBI and other law enforcement entities.
Give Vendors Clear Guidelines
"Be candid with vendors. If you don’t like the solution, tell them," Lafosse said. "Don’t waste your time, don’t waste their time. Offer clear-cut guidelines. It’s not fair if you don’t set rules of engagement upfront. If you are seeing everything move south, let the vendor know right away."
Agree on a proof-of-concept scenario and set realistic expectations, Lafosse added. Don’t encourage grandiose expectations that you know will fail.
When his initial proof-of-concept request proved too ambitious for the vendors to meet within the given timeframe, Lafosse scaled it back.
"Have very tangible goals," he advised. "Don’t just say that you want to protect the network. Provide the vendor sanitized copies of the network infrastructure. Give the vendor the information they need to do a proper proof of concept."
And, he added, make sure you sign an NDA before agreeing to a proof of concept.
Fully Test the Tech
Lafosse recommended fully testing the functionality of the technology rather than relying on a small test environment. "Actually send live data to it, and make sure the tool is doing what it is supposed to do. Make sure it produces reports for industry mandates."
Once the technology clears these hurdles, buy it, he said.
Phillip J. Britt's work has appeared on technology, financial services and business websites and publications including BAI, Telephony, Connected Planet, Independent Banker, insideARM.com, Bank Systems & Technology, Mobile Marketing & Technology, Loyalty 360, CRM Magazine, KM World and Information Today.