Top 6 Questions You Should Ask a Cloud Security Vendor

Choosing a cloud security platform and tools is not for the weak of heart – so much at stake! This framework can help you decide which vendor is right for you.

Ermetic Team By Ermetic Team
Top 6 Questions You Should Ask a Cloud Security Vendor

If you’re a CISO or in any security decision-making role, securing your cloud is an important part of your overall cloud strategy. The sooner you implement a cloud security plan, the better.

Protecting your cloud is not as easy as once thought. The growing sophistication of cyberattacks and plethora of cloud security vendor solutions have made the cybersecurity market confusing. Inadequate security can lead to an attack, possibly impacting an organization's reputation, profitability and goals. Yet the right cloud security solutions can give your organization vital protection and elevate your team’s efforts, and those of DevOps, IAM and others. Choosing well can even enhance your strategic standing in the organization.

Let’s say you’ve done your research and identified vendors whose offerings look promising for your needs. (And if you’ve yet to do so, try these tips for choosing a cloud security vendor). You’re ready for a call or demo.

We’ve compiled a framework of questions to help you drive the conversation with the vendor and decide if to take things to the next step. And be sure to add to the list to increase its relevance for your own challenges, product, architecture and on-the-ground reality.

What do you take off my plate and my team’s?

The main purpose of your cloud security vendor is to protect your cloud environment from security breaches, damage or violations by identifying and mitigating security risks and threats. Cloud security offerings usually secure different parts of the cloud, from threat management and workload protection to access management and more.

Caveat emptor! Vendors are increasingly touting wider solutions than they actually effectively provide. Get to the bottom of an offering’s true value with questions like:

  • Which cloud security areas do you not cover?
  • What complementary solutions would give me a fuller solution?
  • Who in my organization is your offering designed to use? Who will optimally use it? Who in my organization would be pleasantly surprised by what your solution can do?
  • What do your customers most often say they love about your solution?
  • Which types of breaches and attacks do you prevent? How could you have helped prevent the recent SolarWinds or Kaseya attacks?

How do you help me achieve and measure ROI?

A huge gap in cloud security wherewithal for many organizations is operational barriers. These include lack of cloud security expertise and personnel, overly fast cloud expansion due to organic growth and/or M&As, and shadow IT/security that causes security teams to “drive blind.”

Any solution you buy should help you achieve, measure and report on ROI. Aside from asking the obvious “what kind of ROI can I expect from your solution,” drill down to ask:

  • How can my environment achieve the most ROI from your solution?
  • What ROI is your greatest strength?
  • What helped your existing customers achieve the ROI they did?
  • What is the single most significant ROI your solution will give me (time, headcount cost expertise cost,...)?
  • How does your solution enable me to quantify and report on my ROI?

What makes you better than your competition?

We’ve mentioned market volatility and the difficulty in deciphering cloud security solutions value. Let the vendor clear some of that smoke for you by citing and defending how they differentiate. Ask about their top competition, how they compare and why they are better-suited to you. Listen carefully and use their replies to go deeper, and for your own subsequent research.

Consider these additional questions:

  • Who is shaping up to be your top competition next year? Why should my specific organization go with you and not with them?
  • Describe 2-3 of your installed customer use cases and the ROI they cite.
  • What are some problems customers have with your solution? Give examples of where your solution is not, or has not been, a good fit.
  • How many capabilities in your offering are the result of acquisitions? [You can Google this on your own of course – but hearing how they respond can be informing.]
  • What do you think of consolidation in the cloud security market? Where do you expect your solution to be in two years?

How do you help me achieve compliance?

Being compliant alone is not enough to secure your cloud environment but is an important first step -- and essential to every cloud security strategy. So if you’re in the market for a solution that addresses compliance and interviewing a vendor that claims to help, be sure to cite your best practice requirements and the regulations relevant to your industry. Ask:

  • Which compliance regulations do you help achieve? How exactly does it work?
  • Do you alert in real-time about compliance violations?
  • Is there an auto-fix capability in case of a violation?
  • What kinds of audits can you help me with? Cite examples.
  • What reporting do you offer? Can I see examples?
  • How fast do your releases update changes in regulations?

After purchase what will I still need to protect my cloud infrastructure?

This question aims toward understanding vendor integrity and vision. Gartner recently introduced a new category for providing comprehensive cloud security coverage. CNAPP (Cloud Native Application Protection Platforms) converges the other categories: Cloud Infrastructure Entitlements Management (CIEM), CWPP (Cloud Workload Protection Platforms) and more. While vendors (or their marketing & sales teams) are trying to get in line with CNAPP, Gartner notes that no one yet provides wholly comprehensive CNAPP.

In any case, as you figured out in question #1, you will need cloud security capabilities beyond what this vendor covers. Clarify where the vendor’s solution starts and ends -- and where they see their offering in the context of CNAPP. Ask further questions, such as:

  • What makes your technology suited to CNAPP?
  • What features does your offering lack today that – based on what you understand of my environment and tools – I most urgently need?
  • How does your offering integrate with other offerings I might need to purchase?
  • What part of the shared responsibility model do you cover?
  • How does your product exceed what I can achieve with cloud native tools?

How fast can I operationalize your solution?

In other words, what does onboarding involve and how soon will I see results? When deciding on a vendor, you want to know how swiftly you can implement the platform and gain insights. To get a good sense of this you need to understand what their implementation process involves. This will help you assess the scope of internal stakeholders you need to get on board. For example, you will likely need your DevOps team if there’s an agent to set up and your product team to allocate developer resources for integrations.

Additional questions along these lines:

  • How hard (or easy) is it to operationalize your solution? Give real use cases, please.
  • What does your onboarding process look like? How long should it take? Is training involved? How much, how long, for whom?
  • How long before we start seeing results? What are the first kinds of results to expect?
  • Who will be there for me on a rainy day - or on a sunny day with occasional clouds (i.e., describe your client success/support system and how I will interact with it)?
  • What is your SLA for support tickets?
  • What if I need to scale up fast - how does that work?

Next Steps

You’ve done your research and identified cloud security vendors that you believe can help you secure your cloud infrastructure. Engage them with impunity! Let them make their value to you crystal clear, with proof points. Challenge them to provide answers relevant to your organization, not their standard pitch. Demand that they drill down into their offering and show how they can be adapted to your cloud environment. Ask them who in your organization they think can benefit from the solution and who they recommend should participate in the evaluation process.

Once you’ve narrowed down your vendor candidates list, move forward to a PoC. You wouldn’t buy a used car without a hands-on look at how it runs and feels, right? Do a test drive on your own data to make sure the solution is a good fit.

And what should you ask during the PoC? Stay tuned, we will be covering that next.