For the last few months, it’s been hard to avoid Marie Kondo. Author of The Life-Changing Magic of Tidying Up, and star of the Netflix series Tidying Up With Marie Kondo. Her advice is everywhere today, but did you know that her advice also applies to visiting the RSA Conference?
I’ve spent most of my career in security as an enterprise security professional, with the last few years spent vendor-side, so I’m very aware that there are many traps that can be easily fallen into when making security purchasing decisions.
With 700+ vendors expected at RSA, there will be a lot to see. Many will say that conferences are about learning and networking—not about the vendors. While I agree that these are the most valuable parts of any conference, I have also always enjoyed hearing about new technologies and emerging trends, and I always learn something by walking around the expo halls. But there are many pitfalls, and some simple rules that can help you make smarter decisions, if you are in a shopping mood.
1. “Visualize the Purchase you Want”: I know a lot of smart customers who refuse to visit conference expo floors, instead preferring 1-on-1 meetings with vendors. This could be a good way to stay focused. At a minimum, have an idea of what you’re looking for before you hit the show floor. You didn’t think you needed AI-enabled user provisioning, and you’re not sure how Machine Learning applies to dark-web crawling…but now they’ve scanned your badge, and before you know it, you’re getting buzzword-laden emails for the next year.
2. “Decide what part of your life the purchase is for”: Marie asks, “Is this for my business life or my private life?” At RSA, ask yourself, “is this for my security operations? My identity management program? Or is it because I feel the need to do something with Machine Learning?”
3. “Touch each item you’re considering”: Turns out that this tip also applies perfectly, whether you’re shopping for clothes, or buying security products. I think we build some of the best products in the world, but if a vendor tells you they’re a fit for every use case, they’re lying to you. It’s painful to see one of our customers hit a snag because our product doesn’t work with a niche technology in their environment, was sized incorrectly, or simply doesn’t support one of their use cases.
4. “Ignore clothing that is not available in your size”: Most information security vendors have a pretty good idea of what market they’re targeting with their products—and the more mature vendors have done a good job honing their products to said market. The most obvious distinction are products geared toward smaller / medium-sized businesses (SMB) and those geared toward larger enterprises. I’ve worked with some smaller organizations over the years who have turned up their noses at simplified products aimed at organizations like theirs and they’ve quickly become overwhelmed when their smaller teams didn’t have the capacity to optimally manage these complex systems. I’ve also seen larger organizations struggle to adapt to simpler products that won on the basis of price.
5. “Tour the entire store before you try anything on”: It’s so important to survey the vendor landscape before you make a purchase decision. I can’t count the number of clients I’ve worked with who regret their choice of products. Unsurprisingly, I find that many of these choices were made because they fell in love with the capabilities of a particular vendor and bought before a thorough evaluation. Not every organization has the resources to conduct a full bake-off, and you don’t always need to. However, step back and look at the landscape.
6. “Don’t shop with friends or family”: The New Yorker notes that, “When shopping is done as a social activity, it becomes too easy to slip into careless purchasing habits.” Social pressures, even in our world of infosecurity, can guide our shopping decisions more than we realize. There’s something incongruous about signing up for a demo because the vendor invited you to a party with Coolio. Yet it happens all the time. Don’t let Coolio guide your expensive security shopping decisions. Same goes for Sting, or any “recording artist to be announced shortly.”
7. “Accept Your Current Size”: Kondo stresses that she will only purchase what fits her now. In our world, the equivalent is buying more than we need—either in quantity or capabilities. Don’t buy more seats or more GB / day than you need because “we’ll grow into it” or “the vendor is offering an amazing deal.” A good vendor should extend similar discounting on your incremental purchases that they did in the first purchase. It should be a red flag if a vendor is pushing you to purchase more than you can consume within a couple months of deployment.
8. “Don’t wait for an item you need to go on sale”: We all want a deal, but the cheaper product in the long run is not necessarily the one with the biggest discount—it’s the one that meets your requirements most effectively. Over the years, I’ve worked with many organizations that adhere to a strict purchasing protocols: whichever vendor gives the lowest per-unit price (after meeting several pages of check-the-box requirements) gets the sale. I understand the need for an unbiased purchasing process, and I know that Purchasing teams can save your organization lots of money. However, it is rare that the absolute cheapest per-unit price results in the lowest total cost of ownership in the long run.
9. Finally, “Don’t buy anything you don’t have to have”: Shelfware is bad for you, and bad for your vendors too. We’ve all bought products that we didn’t end up using to complete entitlement, and in many cases, it’s because we bought something ahead of our organizational maturity. For example, if your SOC can’t keep up with triaging rules from your IDS, then purchasing ML-based anomaly detection will make the situation worse. Do you have a process for simply centralizing logs today? If not, then you might struggle with next-gen SIEM.
Perhaps the best way to think about product purchases though, is the essence of the KonMari method—purging the things you don’t need, or “decluttering” your life, by removing those things that don’t “bring you joy.” We should apply the same approach to our security programs. It’s not unusual for security organizations to be juggling 50-100 different tools, most of which don’t work together seamlessly, and require significant manual touch. Focusing on consolidating the product clutter and trimming out the products that aren’t making you more efficient is the surest path to finding joy in your security product stack.