• United States




How CISOs can overcome cybersecurity pollution

Apr 03, 20173 mins
AnalyticsIT LeadershipIT Strategy

How to assess a cybersecurity vendor in simple, unbiased and efficient manner?

Last week, I had the pleasure to lead High-Tech Bridge’s team at Black Hat Asia 2017 in Singapore and present a session entitled “Modern challenges of Web Application Security”. At the event, many great companies were presenting exciting cybersecurity products and solutions, with very attractive and quite well-thought out marketing claims.

However, when there is so much motley diversity, it starts bordering with pollution effect, precluding security decision makers from making the right choice. During the event, I had several brief discussions with CISOs – friends of mine from large organizations, who were also a little bit confused by the puzzle of different products.

I will try to present five simple pieces of advice that can protect you from cybersecurity pollution, and help select the right product, appropriate for your organization and its needs.

Ask the vendor which risks their solution mitigates. Every security control should properly address a particular cybersecurity risk, or a group of risks, in a priority defined in your risk mitigation plan. If a vendor cannot clearly state the risks its product addresses – time to move to the next one.

Ask the vendor how they are better than competitors. Today, many security companies claim that they are absolutely unique and have no competitors at all, however it’s not true. Every cybersecurity company has many competitors, trying to address the same or very similar risks, albeit in a different manner. Therefore, if you can’t get a clear answer why a vendor can mitigate your risks better than others – confidently leave their booth.

Ask the vendor for a PoC at your premises. If a product or solution is trusted by FT500 companies – that’s great news, however it can be totally irrelevant for your organization, internal business processes, risk appetite and culture within your organization. Therefore, before judging efficiency and effectiveness of any product or solution, make sure you will thoroughly test it at your premises.

Ask the vendor for technology alliances they have. Technology alliances will simply further integration of the product into your existing cyber defense arsenal. Moreover, products with good market potential usually offer different types of technology integration and joint-solutions with other leading cybersecurity companies. Therefore, if your vendor has a solid portfolio of technology alliances – it can be a reliable sign that the product is unbiasedly trusted by the industry, and will be properly developed and maintained in the future.

Ask your peers about the product. Today, there are so many different cybersecurity reports and awards, that in the near future we will need a dedicated report on which cybersecurity reports to read. Jokes apart, your peers from similar organizations are probably the most unbiased and trusted sources of information about a particular product. To save time, have a look first at resources where veracity of reviews can be trusted, such as Gartner Peer Insights.

By following these five simple techniques, you can get a great enjoyment of any security event or conference, without bearing the burden of overcoming FUD tactics and making a complicated choice about vendor claims.

Add a comment to our Facebook page.


Ilia Kolochenko is a Swiss application security expert and entrepreneur. Ilia holds a BS (Hons.) in Mathematics and Computer Science, and is currently performing his Master of Legal Studies degree at Washington University in St. Louis.

Starting his career as a penetration tester, he later founded web security company High-Tech Bridge, headquartered in Geneva. Under his management, High-Tech Bridge won SC Awards Europe 2017 and was named a Gartner Cool Vendor 2017 among numerous other prestigious awards for innovation in application security and machine learning.

Ilia is a contributing writer for SC Magazine UK, Dark Reading and Forbes, mainly writing about cybercrime and application security. He is also a member of the Forbes Technology Council.

The opinions expressed in this blog are those of Ilia Kolochenko and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.