There are hundreds of cybersecurity products on the market and it can be difficult to select one between the noise. Do you select a cybersecurity product based on an alert you see on the news? Choose based on an advertisement or magazine article? Do you simply select one because it appears on a “magic quadrant”? Here are the top 5 tips for choosing a cybersecurity product.
Tip #1: Fits a Gap
The top tip for choosing a cybersecurity product is to look for one that fits a gap or need within your environment. The most straightforward way to do this is to align your organization with a cybersecurity framework or maturity model.
For example, if you choose the CISA Zero Trust 2.0 Maturity Model, the “Authentication” function within the “Identity” pillar requires “phishing-resistant MFA (multi-factor authentication)” once you reach the advanced maturity level. To accomplish this maturity level and fill the gap within your posture, you may purchase hardware WebAuthn/FIDO2 keys such as Yubikey or Feitian. This purchase fits a direct need and helps your organization achieve a higher cybersecurity maturity level for your chosen framework.
Tip #2: It Works
After you determine that a product fits a gap, it has to work in your environment. See if you can do a free trial before you buy. The product may also have a freemium model so you can use the free version and upgrade to the paid version when you determine that the product works and fulfills a need. Even security hardware companies will usually let an organization test a product before purchasing.
Tip #3: Secure
This should go without saying, but a cybersecurity product should be secure. It’s always a good idea to do your due diligence on a product and company before utilizing it. The product should increase security posture, not the opposite. You can request security audit or perform your own. Research should also be performed on the company and product.
Tip #4: Pricing
The cybersecurity product should fit your budget. If you need the product and you don’t have the budget…then you may need a larger budget. Alternatively, you can look for less expensive or open-source options to fulfill your needs.
Tip #5: Recommendation
Lastly, you can choose a cybersecurity product based on a recommendation from a colleague. The benefit with utilizing a recommendation is that you have a solid review from a trusted source. On the downside, your colleague’s environment and use cases may be different than yours so the product may not work the same in your environment. Additionally, it may be more difficult to find the most innovative product if you’re only choosing products based on older recommendations. The most innovative product may be a new offering from a known vendor or new startup.
Velocity Can Help
Stern Security’s Velocity product helps organizations find the best cybersecurity products for their needs by aligning a company’s security posture to a security framework or maturity model (Tip #1), and then showing the solutions that are needed to fill the gaps.
Conclusion
While there are many choices on the market, these are the top 5 tips for choosing cybersecurity products. Use these tips to sift through the noise and choose the best products for your organization.
The 2022 Triangle InfoSeCon event hosted by Raleigh’s ISSA was on September 9th, 2022. To a full crowd, Stern Security‘s Founder & CEO, Jon Sternstein, gave a presentation titled: “Break Down Silos & Secure the Planet”.
The presentation abstract was the following:
People tend to cluster in their own silos and tribes in both society and within companies. We have seen the dangers of lack of communication between individuals with different viewpoints play out between nations, states, politics, and more. This siloed mindset also occurs within companies and industries and can lead to massive cybersecurity issues.
This presentation will discuss the importance of breaking down silos. Technical stories will be shared of large security vulnerabilities that we have discovered that would have been prevented if the company’s employees and contractors did not operate in silos. We’ll also discuss some hacks to break out of your own silos, hack impostor syndrome, infiltrate executive ranks, and secure the planet.
Jon Sternstein’s presentation was an important lesson on working together to secure companies and to have a stronger society. Secure the Planet!
Our company mission is to “Secure the Planet”. This means that we aim to provide education and solutions that any company in the world can use to reduce cyber risk. Our flagship product, Velocity, is a web application (SaaS product) which companies can use to evaluate their own cybersecurity posture as well as to evaluate cyber risks in all of their third-party vendors. While we strive to have fair pricing and various levels that companies of any size can subscribe to, it’s clear that some organizations simply do not have funds budgeted to spend on cybersecurity or to try new products. We’re moving Velocity to a freemium model so any company can measure their baseline security posture for free.
Details
If we’re serious about securing the planet and providing solutions for all organizations regardless of size and budget, we needed to expand our offerings. From my many years working in the cybersecurity industry, both on the customer side and the consulting side, I know that many organizations do not evaluate their security posture at all. Many of those that do, still measure their security posture using an inefficient, often inaccurate, spreadsheet approach. They list every cybersecurity measure that they should be doing in one column and then they state whether they are completing the task or not in another column. It’s easy, but inefficient, painful to manage, difficult to track progress, and tough to update. Velocity eliminates the need for spreadsheets to measure internal risk with these known frameworks. The free version of Velocity is an easy and economical tool for any company in the world to measure their cyber security posture.
What is included?
In the free version of Velocity, companies can evaluate their own security posture using any of several frameworks. Additionally, companies receive access to dashboards that give critical insight into their security posture. As an added benefit, companies eliminate the use of inefficient spreadsheets to evaluate risk. The frameworks that are included in the free version of Velocity are as follows:
CISA Shields Up – To address increased risk due to Russia’s invasion of Ukraine, the Cybersecurity & Infrastructure Security Agency (CISA) released security guidance for organizations. This free valuable guidance is built into Velocity. We will continue to update this significant resource on Velocity as the guidance updates and transforms.
CMMC 2.0 Level 1 – In late 2021, the Department of Defense (DoD) released CMMC 2.0 which is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). There are three levels within this model and most defense contractors will need to adhere to Level 1. Organizations can evaluate their compliance with Level 1 CMMC 2.0 for free within Velocity. The smaller subset of organizations that access more classified information can pay for a Velocity subscription to evaluate their compliance with the higher levels within this framework. Our company pays to have certified CMMC staff. For more information on CMMC, please review our latest article on the subject: https://www.sternsecurity.com/blog/cmmc-2-0-program-update/
CIS v8 Group 1 – The Center for Internet Security (CIS) has a well-known list of cybersecurity controls that are recommended for all organizations. The latest version (v8 as of this writing) splits the security framework into three groups depending on the size and cybersecurity maturity of the organization. The free version of Velocity includes the first group, Implementation Group 1. Organizations looking to evaluate their maturity with Groups 2 and 3 can upgrade to a paid subscription within Velocity. Our company pays an annual license fee to utilize this security framework.
How do we pay for this?
We have to pay for this somehow as we definitely cannot help secure the planet if we don’t have the funds to run our product. While several frameworks (or parts of frameworks) are free, we have over 10 other major security and compliance frameworks that companies can pay a subscription for. We continue to add more frameworks. We pay subscription fees which we pass on to companies who subscribe to additional features within Velocity. Additionally, we charge companies to evaluate the security posture of their vendors. While utilizing the free version, there is an easy path to upgrade to a paid subscription to utilize other frameworks or evaluate vendors.
I’m incredibly excited to announce our freemium version of Velocity. This is the result of months of hard work from an amazing team. We are so proud of the result and what it can do for the world. Now that Velocity is offering this freemium model, we see a clear path to making our motto “Secure the Planet” a reality. Velocity is not going to solve every cybersecurity problem, but it does give organizations actionable items they can perform to reduce risk. Now any company in the world can measure their baseline security for free on a beautiful web interface.
The CISO (Chief Information Security Officer) reporting structure is a hotly debated topic and the solution often differs depending on the organization. This question has perplexed many organizations. It’s a topic of growing importance as cyber attacks grow in frequency and breach costs increase.
Many organizations initially place the cybersecurity responsibility within the IT department reporting to the CIO. This may works in a small environment or if leadership prioritizes security. However, many understandably believe the CISO should report outside of IT because of a potential conflict of interest. Security and IT have different priorities. IT focuses on adding new systems and features while having stability. Security, much like Risk and Compliance, focuses on managing risk, adhering to policy, and ensuring proper controls are in place.
For example, let’s say IT wants to add a new product that has not been properly vetted for security issues. If the CISO reports to the CIO, who is more focused on getting the product out there, the CIO may silence the security team’s concerns and bypass regular procedure. In some cases, the CIO may dictate what the security team can or cannot review or even telling the security team how to perform reviews.
In a recent LinkedIn poll, we asked if the CISO should report to the Board, legal/compliance, finance, or IT. Out of nearly 1000 votes, 75% stated the CISO should report directly to the board. Many individuals stated that avoiding conflicts of interest was the reason to report outside of IT. It bears the question of why the CISO often doesn’t have a seat at the executive table, and many organizations do not give this role a C-suite designation. Instead of a “CISO”, many organizations have a Security Officer, or data security manager, or VP of security.
It is true that there are several reporting structure options that may work. On the other hand, it is clear that conflicts of interest are a concern and have stirred trouble in companies. The CISO role should operate similar to Risk and Compliance and have a voice at the top. If an organization is serious about cybersecurity, hire security minded leadership and ensure reporting structure avoids conflict of interest.
Stern Security’s Founder and Principal, Jon Sternstein, presented at the 2019 NCHICA Incident Response 101 Forum. His presentation was titled, “Creating the Incident Response (IR) Plan Using Playbook Scenarios”. The full presentation can be read below.
Presenter: Jon Sternstein
August 2nd, 2019
Research Triangle Foundation 12 Davis Drive Research Triangle Park, NC
The 2019 Academic Medical Center Conference featured a presentation by Vidant Health cybersecurity leadership alongside Stern Security’s leadership. The presentation was titled, “Healthcare Security Project Strategies” and covered several major healthcare security projects with details about what worked and which strategies made the projects successful.
Presenters: Kirk Davis & Jerry Hare (Vidant Health), Jon Sternstein (Stern Security)
