Seasoned CISO Mike Manrod knows the value of a good cybersecurity vendor evaluation. He recalls that in a past job he inherited some very expensive vaporware under a long-term services agreement. His predecessor had purchased an “innovative” beta identity and access management platform but hadn’t done any analysis on the product, simply accepting the vendor’s claims of its efficacy. It was a dud.
Inversely, as CISO at his current company Grand Canyon Education, Manrod set his team up to evaluate an allegedly “brilliant” web application security product only to discover through testing that its client-side validation was easy to bypass and thus subvert the product. That basic test saved them from making an expensive mistake. “Startups are trysforming, and sometimes they go back to the drawing board. Nothing wrong there, but if we as security leaders purchase something that’s not ready yet, that’s on us,” he says.