Bringing your network security up to par involves a fair amount of self-discovery, followed by performing due diligence regarding potential vendors. Here are some steps to follow:
1. Inventory and evaluate your existing assets, procedures, tools and services
Take a fresh look at your workloads, databases, servers, cloud instances, endpoints, software (including security products) and networking gear. Are they all up-to-date? Are any obsolete and should be replaced?
Examine your network topology — is it segmented to prevent easy lateral movement by intruders? How about your identity and access management (IAM) systems and policies? Have you implemented multi-factor authentication (MFA)? How about the principle of least-privileged access?
Don't forget that employees are also assets, because you'll need to determine which staff members get the highest access privileges. If you can afford it, call in an outside consulting firm to provide a fresh pair of eyes or even to do a vulnerability assessment to expose your weak points.
"You need to think of security holistically," says Aviv Abramovich, head of security services product management at Check Point. "Your network actually extends to the employee that sits at home in their slippers, reading their email on their bring-your-own-computer connected to their personal Wi-Fi router at home."
2. Make a plan
What do you need in terms of network security? What do you want? And most importantly, what can you afford? Create a wish list, create a budget, and then rank the tools and services you'd like to obtain according to how soon you need them.
You'll also need to factor in your organization's growth plan. Where will your company be in five years? 10 years? Does that vision affect your network-security needs?
Most mid-sized and large organizations would benefit from a zero-trust model, but for smaller companies, the costs of migration and retraining might not be worth the trouble.
Likewise, organizations with far-flung branch offices and many permanent remote workers would gain a lot from a secure access service edge (SASE) or security service edge (SSE) model — here's more on how to determine your SASE needs — but there wouldn't be much benefit for companies that mainly deal with retail customers online.
3. Assess your existing network-security tools
Do you have any tools that can be repurposed for, say, a zero-trust or SASE model? Can you get rid of some tools or services? Or do you have long-term service contracts that cannot be easily broken?
"Very rarely do you ever get rid of a security tool," says David Sinclair, founder and CEO of 4FreedomMobile. "You add things on top of it."
For example, if you have a software-defined wide-area network (SD-WAN) to connect branch offices, a cloud access security broker (CASB) to protect your cloud apps, or a cloud-based firewall as a service (FWaaS), those could be used for a SASE setup.
4. Make sure the C-suite is in your corner
You won't get far with your network-security modernization plan unless you have the full backing of company leadership and the appropriate resources to get the job done. This is doubly true if you're migrating to a new network-security model such as zero-trust or SASE, because those transitions could take a couple of years to implement.
Present the top brass with a comprehensive, easy-to-understand modernization plan with clear goals and KPIs that you can use to later determine the return on the company's investment. If you're purchasing new products or services, indicate your first choices, but also make clear you'll settle for second-best if it's a bit cheaper and, very importantly, nearly as good.
5. Grill potential product vendors
If you do need new products or services, then it pays to be an informed shopper. Ask industry peers which products or vendors they might recommend and ask potential vendors if they have experience with clients in your industry.
Look for vendors that have proven track records of success. Use third-party reviews and assessments, such as Miercom's Zero Trust Platform Assessment, for independent viewpoints. When you choose a vendor for a large project, you're entering a long-term mutual relationship, so see how well the vendor meshes with your corporate culture.
Also ask prospective vendors:
- about the total cost of product ownership, including training and long-term support
- about the product's scalability and ease of use
- about the product’s ability to work with your existing tools
- if the vendor can assist with product implementation
- if the vendor might offer bundles of different tools that could save you money
- about the product road map — are there any new features on the way?
"Ultimately, what you want to compare is the level of threat mitigation or de-risking that these different solutions or different offerings can do for you," says Abramovich. "You can ask yourself, 'What is my risk before and after, and which one of them will help me mitigate the risk better?'"
Remember — no matter what their marketing may claim, no company offers a full off-the-shelf zero-trust implementation.
"I think everybody who would say that they do, I would challenge that claim," Abramovich adds.
