Welcome to the fourth and final blog post in our series dedicated to helping you find a cloud security vendor that fits your cloud security strategy. This series takes you along the journey of picking, evaluating, identifying and assessing your security partners so you can feel confident as you deliver cloud security to your organization.
We invite you to review the other posts in this series:
- The Top 24 Concerns for Cloud Security Teams – to acquaint you with the landscape and potential threats
- Useful Tips for Choosing a Cloud Security Vendor – to help you evaluate and identify relevant vendors to engage with
- Top 6 Questions You Should Ask a Cloud Security Vendor – to determine if the offering warrants moving forward to a POC
And now, drumroll please: You’re ready to start a POC with a cloud security vendor. Congrats on sorting through the options and noise to get to this point – it’s an achievement! Since you’re still in the evaluation phase, you’ll want to keep doing your research and tracking progress to ensure the POC brings the clarity and value you seek.
Let’s make your time count. With input from our security experts, below is a list of POC-related questions to ask. These will help you get the most out of the POC and ensure that, should you choose it, the solution will answer your needs for mitigating relevant security threats.
Planning Your Cloud Security POC
1. How long will my POC process take?
Why ask this? Diving into a POC is not yet a full-blown commitment – but isn’t “no strings attached,” either. Ask your vendor about the time and resources they expect – and recommend – that you commit to get the most out of the process.
Their answer will help you understand the POC’s impact on your team’s time and timeframe. If the “down payment” (the effort you’re asked to put into the POC) is too high, you may want to reconsider. Also, before committing to the time investment, make sure you have confidence in the vendor.
You can also reveal from a vendor’s response if they carry out POCs efficiently. You may be lining up multiple POCs, so compare their response across vendors.
Other questions to ask include:
- How much time does POC onboarding take?
- How soon will we be able to see meaningful results?
- Which resources do I need to allocate, and for how long?
- How many people on my side will be able to try out the POC system?
- What kinds of roles should I line up to take part in the POC?
2. How do you access my cloud-based data?
Supply chain attacks are a growing risk. The fact that your supplier is in the cybersecurity industry does not make you less vulnerable. When switching to a new solution, you need to make sure that: (a) your vendor takes proper measures to secure your data and systems; (b) switching to the vendor’s solution won’t “break” your existing security stack, putting you at risk.
To ensure no critical security controls are being turned off during the POC, ask:
- How does the POC connect with my current cloud environment? Do we need to install an agent?
- Which type of data will you collect?
- Do I need to give you access to any of my other vendor solutions to get valid results?
- How can I be sure this process won’t change anything in my environment?
- Who on your end will have access to my data during the POC?
- What happens at the end of the POC if the systems disconnect?
3. How do you help me measure the success of the POC?
We daresay this is the most important question in the POC. It addresses your POC metrics monitoring and goal tracking so you can ensure the solution fits your cloud security strategy and and ROI reporting objectives — the concept of ROI is the same as for any project.
But not only that. The answer tells you what data you’ll have for making your decision and gives you agency, should you decide to move forward with full solution implementation, for garnering support for your decision throughout the company. It also helps you compare the ROI outcomes of different security vendor POCs.
Questions for success measurement include:
- Which metrics can we see, where and how often are they updated?
- How do we get alerts about risks and auto-fixes?
- What use cases will you enable me to try out? What use cases do you recommend?
- Where can I define and monitor use cases?
- What are the SLAs?
During Your Cloud Security POC
4. Who can I contact for guidance and questions during the POC?
However savvy you are, avail yourself of the vendor’s guidance, especially at the beginning. This is important to helping you understand the nuts and bolts of the solution, but also enables you to evaluate what it will be like to work with the vendor day-to-day. You will see how responsive and knowledgeable they are – and what it would be like to deploy the system for less experienced or knowledgeable people on your team or in your organization. Regardless of what the vendor suggests, we recommend having any stakeholder you deem relevant – across security, DevOps, IAM, other engineering teams and even leadership and contractors – take part in the POC.
Suggested questions for evaluating the communication aspect of the POC:
- Please describe what support is available to me during the process. What’s the cadence of meetings? Who do we contact? What are the SLAs?
- Who do you recommend should take part in the POC on my side? Which kinds of roles?
- Can people (contractors, etc.) outside my organization participate in the POC?
- Can anyone in my organization access the POC, including ad hoc?
5. What if I need customization within the solution?
The purpose of the POC is to evaluate the gap between the many sales calls and product pitches you went through and what the solution actually does. If the gap is small or non-existent, the solution can be successfully implemented into your architecture.
But what happens if you suddenly realize you need customization of a new capability?
Agile, cloud-native businesses have made it increasingly acceptable (and technologically possible) for customers to request features and get them delivered in a short period of time. This is even more so for startups, which are attempting to penetrate the market and need customer success stories (which one day you may help provide them).
By determining the process by which you can request and receive a new feature, you will get a sense of how flexible and attentive to your needs the vendor and the product roadmap may be. A flexible roadmap can mean very high ROI for you down the road.
Questions for assessing customization options:
- What is your process for evaluating a customer request and how frequently do you have a significant product release?
- Can you develop and customize new features in the system?
- What is the latest feature you added to your solution? Why? (Try to find out if it was a customer request; in fact, phrase it that way.) What is the latest customer requested feature you added to your solution and why was it requested? Can you demo it for me?
After Your Cloud Security POC
6. Have we reached our goals?
One of the most important questions you asked the vendor before the POC was how to measure the POC’s success. Now is the time to review the resulting metrics and identify if your goals were met, and the solution is worthy of implementing to meet your needs.
Questions to ask include:
- Why did the POC exceed/underperform our goals? What should we understand from this? Is there something we should have done differently?
- How can we share our metrics with others? (e.g Can we download PDF reports? Is there a Slack integration?)
- How can I optimize the alerts and findings to fit my needs and lower the false positives? What other optimizations can I perform?
- What steps do you recommend for higher ROI with your solution?
7. What is involved in implementing the solution?
The POC is a worthwhile step toward understanding solution value. You are now ready to decide if you want the platform to be part of your daily workflow. If so, now is the time to find out the operational aspects of onboarding and usage.
Questions to ask regarding solution implementation:
- What are next steps, such as onboarding and other Day 2 type actions, in the event that we choose your solution?
- What do you propose for an implementation schedule?
- What kind of legal or financial paperwork needs to be done?
- How do we onboard all our information and users to the solution?
- Which additional features will we have access to and how can we use them?
- Who to contact for assistance in the first months?
- What are the recommended best practices for our first year of using the platform?
Conclusion
Cloud threats and attack vectors are growing, vendor offerings are constantly changing and the need for effective cloud security solutions is acute. Careful consideration before you make an investment in a solution is justified and can make a huge difference for your organization’s cloud protection. In this kind of market, POCs make a lot of sense – and are an excellent way to address the ever-relevant “caveat emptor.” Whatever you do, keep doing the research, asking clarifying questions and gaining a detailed understanding of the vendor’s cloud security capabilities – including those you may not have thought you were looking for – and differentiation. It’s the best way to find the vendors that will get you there and keep you ahead of the next threats.