CISO implementation guide: 10 ways to ensure a cybersecurity partnership will work
Where does your enterprise stand on the AI adoption curve? Take our AI survey to find out.
Capitalizing on the urgency companies have to launch new digital businesses, cybersecurity vendors create partnerships to close product gaps quickly. An understanding of how the new alliances can deliver results must be part of every CISO’s purchasing decision process. But partnerships can be something of a slippery slope.
Today, CISOs face the conflicting problem of securing operations while supporting business growth. IT and cybersecurity teams are stretched thin attempting to scale endpoint security for virtual workforces, while securing their customer identities and transactions. CIOs and CISOs are turning to vendors they rely on for immediate help. In turn, cybersecurity vendors’ quick fix is to create as many partnerships as possible to close product gaps and close the upsell or new sale.
What’s driving market demand is the pressure CIOs and CISOs have to deliver results. Companies’ boards of directors are willing to double down on digital business plan investments and accelerate them. According to the 2021 Gartner Board of Directors’ survey, 60% of the boards rely on digital business initiatives to improve operations performance, and 50% want to see technology investments deliver improved cost optimization.
Company boards have a high level of enthusiasm for technology spending in general and cybersecurity especially. As a result, Gartner predicts the combined endpoint security and network access market will be a $111 billion opportunity. For such cybersecurity companies, partnerships are a quick path to lucrative deals and higher profits.
Partnerships alone will not solve the conflicting demands for IT resources to secure a business while driving new business growth. They are not a panacea for the biggest challenges facing IT today. Trusting the wrong partnerships can cost millions of dollars, lose months of productive time, and even cause a new digital venture to fail. Due diligence of nascent cybersecurity partnerships needs to go beyond comparing partners’ financial statements and into the specifics of how multiple technologies are performing in actual, live scenarios today. Ten ways stand out as means to guide decision making.
10 ways to truth-test cybersecurity partnerships
1. Is the partner’s solution a bolt-on or built-in integration?
The core of a bolt-on integration is often adapter or connector technology that maps APIs to each other. Adapter and connected-based integrations can be created in 90 days or less. Bolt-on integration is fast to develop, which is why they’re flooding the cybersecurity market today. Getting bolt-on integration right starts by knowing how the adapters and connectors can scale and what happens when pushed beyond limits.
Built-in integrations go beyond API integration to integrate to the platform, OS, or firmware level. They can take a year or more to produce, including internal software QA, beta testing, and certification. One of the most successful cybersecurity partnerships includes IBM and Qualys. The shared platform design-in integration was first announced at the 2017 RSA Conference. IBM and Qualys agreed to a co-development partnership to provide IBM customers with greater visibility of IT assets, vulnerabilities, and threat data using Qualys technology.
Another built-in integration based on partnerships is Absolute Software’s alliances with 28 OEMs to have their firmware embedded in each device. There are over 500 million PCs with Absolute clients in use today, tracking approximately 11.6-million endpoints. Absolute’s unique approach to multi-partner technology partnerships combined with an undeletable tether to each device provides IT asset management and endpoint security visibility.
2. Does the product roadmap synchronize to the primary vendor’s releases?
A quick way to see if a partnership has progressed beyond press releases is to get a briefing on joint roadmaps. Look for point releases on each vendors’ future product timeline of when integration coding will be done, tested, and ready. If co-development and integration aren’t on the roadmap, there’s a good chance no teams from DevOps have been assigned. For example, bolt-on adapter and connector projects often aren’t shown on roadmaps because they’re special projects DevOps work on in their spare time. Roadmaps are a proxy for resources and tell the true priorities of each partner’s DevOps team.
3. Beware of partner-based solutions that require a new IAM or PAM platform.
Looking to capitalize on the urgent need companies have to ramp up online transaction systems while supporting virtual workforces, cybersecurity vendors will use partnerships to promote switching to an entirely new identity access management (IAM) or privileged access management (PAM) platform. This is a Herculean undertaking that shifts the workload of platform support from vendors to customers. Don’t let this happen. Instead, hold out for vendors who support a wide variety of IAM and PAM platforms, proving they can scale to meet unique security and growth requirements. No one should have to change IAM or PAM platforms for a partner-based solution.
4. Is the partnership efficient at producing production-level code at scale?
DevOps teams often suffer from disconnects with the security team when getting code validated, approved, and into production at customer locations. A glaring disconnect happening today is how long it takes for vulnerability scans of code to be completed. DevOps teams need to break through the logjam of waiting for security teams to run vulnerability scans in order for a partnership to work successfully. McKinsey’s Cybersecurity: Linchpin of the Digital Enterprise study notes that DevOps and security teams need to streamline how they work together and provide specialized support at cloud speed.
Above: McKinsey finds the majority of cybersecurity operating models aren’t running at a fast enough speed to move new code through vulnerability scans into production.
5. Is the additional partner going to help or hurt your business?
Identifying cybersecurity vendor alliances and partnerships that can collaborate with IT, line-of-business owners, and customers can help boost company growth. First, however, finding the partnerships that deliver on this dimension needs to guide due diligence. Asking existing customers for results achieved is the first step. Next, talk with line-of-business owners, reference customers, and, if possible, attend their annual event to see first-hand how their customers are using the combined partnerships’ products.
6. Interview customer references running the partnership’s solution.
Get specific with proof points of what’s working and what isn’t and how effective the partnership-based product or service is. Probe for points of failure. If there are not active customers to learn from, keep looking for other solutions — no one has time to be a beta site.
7. What’s the shared incident history of the partnership?
Drill down on the incident histories of each partner in detail, especially with customers running the solution that’s being pitched as part of the partnership. Look at the incident histories of each partner before they announced their partnership. Part of completing due diligence needs to include tracking primary vendor and partner incident history on combined configurations to be referenced in the contract. Incident histories will provide insights into how each vendor handles software patching and security team response to incidents. That’s invaluable data to index the performance of the partnership.
8. Third-party indemnification is a must-have.
The cybersecurity partnership’s contract needs to provide indemnification provisions, including compensation for harm or loss in a breach. Alleviating the risk of being left on their own in the event of a breach, companies buying into partnership need to protect themselves upfront and push for and get third-party indemnification. This is a non-negotiable aspect of buying into any partnership — one no company should sacrifice or capitulate on.
9. Include random external security audits in the contract.
For the partnership to prove itself over time, there need to be random audits completed by a third-party firm, paid for by the partnering vendors. Audits will provide the partnership with valuable in-field data on how effective the solution is and where the weaknesses are. Most partnerships being created today need more external security audits to find vulnerabilities under specific configuration scenarios.
10. How secure are the DevOps cycles that partners are sharing to create products?
Gaps in DevOps operations can invite hacks of source code, dynamically linked libraries, executable files, and other key software components. Alleviating a second SolarWinds-level attack is a priority that dominates cybersecurity today. Identifying how secure DevOps is for bolt-on and built-in integration partnerships is also essential. One of the best ways to start looking at how secure a DevOps process is by examining how integrated it is into the product development process. McKinsey’s Cybersecurity in the Digital Era provides a useful framework.
Above: Evaluating cybersecurity partnerships to the DevOps level is advisable to see if security is a core part of each phase in the product life-cycle.
From newly formed to long established partnerships dominating cybersecurity today, 10 factors differentiate partnerships that deliver the most value. Getting beyond due diligence via financial statements research means uncovering how each partnership approaches integration, DevOps, vulnerability scans, and indemnification. Identifying gaps in partnerships and their implications on securing a given cybersecurity app, platform, or technology needs to be technology adopters’ primary goal.
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more
Source: Read Full Article