MARCH 2023CIOAPPLICATIONS.COM9fewer weekly meetings with customer success teams. Fewer relationships to manage means more time to focus on the meat and potatoes of security.As an example, it's been interesting to see the evolution of modern CSPMs. CSPMs have evolved from just offering traditional CSPM features; they've come to bundle everything from source code analysis, container vulnerability management and even dynamic scanning. If I were starting a security program today, I might look for one vendor to manage all of my security tooling instead of looking for a handful of point solutions. A best of suite product offering may not have the best tool for a particular use case, but that might be compensated by having a more robust suite.Ease of DeploymentEase of deployment is another important aspect to take into account when weighing the trade-offs. This can make the difference between a successful program versus one that never takes off.Let's take static analysis tools, for example. Static analysis tools are a fundamental security control since these tools are able to provide visibility into the security of an organization's first party code.One trade-off that became apparent to us when selecting a static analysis tool was that certain tools were more involved in terms of set up, often requiring building source, before any code was analyzed. While these tools provided better findings, the difficulty of doing it organization-wide was a huge barrier for getting adoption. In the end, we were better served with a tool that provided adequate results but didn't require this step.Security teams need to watch out for this when performing POCs (proof of concepts). Issues of deployment in POCs might be undetected given the limited nature of these engagements.Pricing methodology that makes senseIn today's world, security products are offered as software as a service (SaaS). In this model, products are typically charged on a per seat or a per resource basis. Some of the friction we've had with vendors is not agreeing with their methodology for counting seats or resources.At the start of any engagement, security teams should have a serious discussion with their vendor on how these seats or resources are counted. It is essential to thoroughly understand how exactly the vendor intends to count these items. In one particular case, our team spent upwards of twenty hours proving to a certain vendor the inaccuracy of their pricing methodology ­ a painful lesson that could have been addressed early on.Customer Success team you can work withLastly, it is important to consider the individuals you will be working with on a regular basis, Customer Success. These are the people you'll be working with regularly, and it makes sense to validate that there's a fit with your security team. For all practical purposes, the vendor's customer success team should be considered an extension of your own workforce.The best Customer Success team we work with is very responsive to our questions and issues we bring up regarding their product offering. But what sets them apart is their breadth of knowledge and expertise in the cloud domain. I brought up the idea of them guiding us through some thorny issues related to our cloud architecture, and they've been fantastic in this endeavor even if it's not entirely related to their product line. Through my years of experience working with many vendors, I have come to appreciate the fact that there are things beyond just technical capabilities that will make a partnership successful
< Page 8 | Page 10 >