Look beyond price when acquiring IT security products

Governments need to check out the big picture when they upgrade their security systems and software, says Joe Sullivan, former chief security officer at Cloudflare. The firm offers a global cloud platform that ensures secure, private, fast and reliable Internet connections, with a number of offerings for the public sector.

“Every purchaser of a security product should look not just at the effectiveness of the solution but also the deployment and maintenance requirements and costs. The price of the product might sound low until you figure out that you don’t have the subject matter expertise to deploy and maintain the solution on your own,” Sullivan explains.

He urges agencies to plan their acquisitions with the longer-term in mind. “Adversaries rapidly evolve, and threat vectors change on a daily basis. The company behind the product you purchase should have a history of evolving as quickly.”

Sullivan says times have changed when it comes to acquiring IT solutions. “Purchasing hardware yourself has gone out of style, for a good reason. Cloud solutions provide better reliability and a faster innovation path for local governments, allowing them to focus on delivering core services.”

He suggests agencies consider teaming up with vendors that offer a broad suite of products and a culture of innovation. “They are more likely to partner with you on your overall strategy and be there for you when an issue happens. Make sure your partners are flexible and will work to evolve with you as requirements change.”

Sullivan says the public sector may need to consult outside resources to ensure agencies have the tools to protect government IT operations. “Just like in other sectors, the security teams of local governments have constraints on their own technical staffing and need to rely on trusted partners in reducing security risks.”

He points out that his firm is a global leader in network security with a diverse customer base. These characteristics, he believes, give his firm a special view into today’s security concerns. “Cloudflare has unique visibility into emerging threats and vulnerabilities and a suite of low-overhead products that can be deployed easily and efficiently.”

Sullivan has some advice for governments as they consider acquiring security software: “Don’t follow the hype around the constant promotion of new products in security; focus on the basics and select a few trusted vendors who offer a broader suite of dedicated security products.” He also suggests that local governments find partners who provide solutions that are cloud-based and that don’t require significant outside services to maintain and support.

Sullivan says the following are a few areas where government agencies can test vendors:

• How quickly can the provider set up test environments without significant burden on the security teams?
• Do the vendors offer solutions that not only address your problem of the day, but provide a platform that can respond to new threats as they emerge?

Sullivan outlines a best practice that cities and counties should follow. “Be wary of people pushing you to buy the headline-driven security product of the day. Good security is always about the fundamentals: ensuring applications and networks are resilient against attacks and employees are operating in a zero-trust environment.” He adds that it is important to talk to vendors to understand if the current technology stack is still serving the changing environment. He urges governments to try to avoid the sunk-cost mentality. Agencies may practice this mentality when they continue a project because of previously invested resources (time, dollars or effort).

Sullivan believes the best purchasing decisions for security systems are often made collectively. He sees the following as key players in the buying process—the security practitioner who will deploy and maintain the selected solution, the government officials and executives who have a longer-term perspective on the organization’s security strategy, and a procurement expert who can ensure the appropriate terms are in place to ensure that value gained exceeds cost.

Sullivan cautions that the security market can be quite complex. He notes that vendors sometimes offer solutions that may not fit the government’s requirements. “The Department of Homeland Security, CISA, CIS and MITRE have provided matrixes and roadmaps to help security professionals develop a plan for improving their security posture. Use the guides as a best practice for developing requirements, but understand that there is no silver bullet. Systems will need to work together to get the intended security benefits.”

Omnia Partners Public Sector offers a robust portfolio of more than 300 cooperative contracts. Go to this link to view Omnia Partners’ contracts that provide IT solutions. Cloudflare’s offerings are available through cooperative contracts.

Michael Keating is senior editor for American City & County. Contact him at [email protected].