It was just after dinner last Sunday evening when my wife gave me the news: She was leaving me.
So I did what any quick-thinking man would do: I sang to her the old Kenny Rogers song… You picked a fine time to leave me, Lucille. With four hungry children and a crop in the field.
“Um, Rob, I’m going away for one night for a work trip, we have two well-fed children, we are not farmers, and my name is Rachel.”
Okay, so I may have been a little dramatic.
Still, there was a problem: Rachel had asked me to get gas for her car that day while I was out running an errand. And I forgot. It was now 9:30 at night and she was leaving early the next morning.
“Fear not!” I said, in my best superhero voice. “I will get you gas!” And out the door I flew (not literally).
I drove to the first station in our town. Closed (even though Google Maps said it was open). I drove to a second. Closed. A third. Closed.
I was getting a little bit nervous. Things shut down early on Sundays around here and I was running short on options.
Finally, as I pulled into the fourth (and last) local station, I saw it was still open (it closed at 10:00). I got the gas and headed home.
On the drive back, it occurred to me that while all four of those stations sell gas, none of them sells it 24 hours a day. It was a good reminder that vendors (and, okay, husbands) can be reliable in one context but not reliable in others.
Cybersecurity vendors are no exception. When circumstances change, “adequate” (even “excellent”) can turn to “unacceptable” in a heartbeat.
Our insurance company answers the phone quickly and has great rates. But at payout time… nothing.
Our SOC (Security Operations Center) has amazing dashboards and our monthly calls are informative. But when an incident happens… useless.
Our anti-virus vendor is inexpensive and it doesn’t slow down our machines. But when malware gets on the machine, the anti-virus doesn’t do anything.
The point is, if your vendor evaluations only consider how things work during a non-emergency, you may have a huge blind spot should disaster strike.
Anticipating these types of “edge cases” – fire, flood, ransomware, hacking, etc. – goes well beyond what you might learn by asking a buddy if a particular software is “good” or whether they are “happy” with a vendor.
What you really want to know is how well you will be protected if faced with a serious problem.
With that in mind, here are some things to consider when evaluating vendors of critical services…
#1. Talk to the experts.
It’s good news that cybersecurity disasters don’t happen all that often. But it also means few people have direct experience with them.
Experts do. Either first-hand or, thanks to the work they do every day, through the experiences of friends, colleagues, and clients. When you talk with them you can get a true picture of the best and worst of what’s out there.
If you can’t identify experts, at the very least make sure you are considering vendors and solutions that have experience with your industry, company size, and circumstances.
#2. Focus on what matters most.
It’s nice if your SOC is friendly and has “good customer service.” But what you most care about is how they handle an incident. Do they discover it? And when they discover it, are they able to remediate it or at least give you actionable intelligence for you to take over?
In other words, when something bad happens, can they handle it? You may be happier day-to-day with the friendly vendor, but it’s the existential threats that will put you out of business.
#3. Evaluate the trade-offs.
Every security system comes with trade-offs between effectiveness and convenience.
The lock on the front door of your house requires carrying a key or remembering a code; using it takes time. But it’s more secure than leaving the door unlocked (or not having a lock at all).
Likewise, antivirus is cheaper and simpler to implement and manage than EDR (Endpoint Detection and Response). But it’s also less comprehensive and robust.
The “best” solution always comes down to figuring out the optimal balance – for you in particular – between price, convenience, and value.
Plan for the Worst Case Scenario
Edge cases are unusual and extreme (that’s why they are called edge cases). But like any disaster, they can be devastating.
You need to make sure that when a friend recommends a tool, service, or vendor involved in preventing or mitigating one of these rare outcomes that you pay close attention to how it performs under non-ideal conditions.
Gotta run. It’s 2:00 in the morning and I’m heading out to the all-night diner. I hope it’s open!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
