4 ways to avoid cybersecurity snake oil

When it comes to cybersecurity, you want to do right by your students, your schools, and your district–but it’s not that simple.

The cybersecurity industry is massive, representing literally thousands of vendors in the United States alone, with the global cybersecurity market staged to grow to over $350B by 2026. The options are extensive and confusing, and sales teams have mastered the art of introducing fear, uncertainty and doubt into the minds of their prospects.

In a perfect world, sales teams that exist to protect organizations would be trustworthy and altruistic, but with that much scrap up for grabs, snake oil salespeople are out in full force trying to get your business. To help you sidestep this minefield, here are four steps to take with your cybersecurity program.

1. Conduct a risk assessment of potential vendors.

Before you start having conversations in earnest with vendors, conduct a risk assessment. If you wait until after you engage with a vendor to do this, you might find you’ve created a problem you could have avoided. Or, at the very least, you may have wasted a lot of time going through the sales calls and budget analysis just to learn it’s not a good fit.

So, as soon as possible, assess each potential vendor. If a vendor is resistant to this, consider that an enormous, bright red flag and promptly lose their number. For the other vendors who understand why you want to do this, approach it like you would when you conduct a risk assessment for yourself. Ask them questions along the lines of the following:

• Do you have incident response plans?
• Do you have security testing happening on a regular basis?
• Is there an actual expert in security who performs updates on a regular basis?
• If you build software, are you doing DevSecOps?
• How are you handling your security testing before you push a fix out?
• How willing are you to let a third party come in and audit you to create a general risk profile?

Also, remember that you should be very, very clear on the risk that a given offering is helping you to mitigate. If you are not absolutely sure of what risk a particular product solves for, pause and spend time gaining that clarity before moving forward.

2. Magic doesn’t exist.

Snake oil peddlers have perfected the art of their pitch, meaning they’ll make their security offering sound like a silver bullet. Remember, if it sounds too good to be true, it likely is. When it comes to cybersecurity, there’s no amount of technology that completely removes risk, negates the need for hard work, or can take the place of foundational cybersecurity principles like patching, strong password management, or multi-factor authentication.

For example, a vendor might say their offering can provide automated compliance to the Family Educational Rights and Privacy Act (FERPA). The reality is that there are still manual steps that need to be taken to get to the right level of compliance, even when it’s allegedly automated. There’s still hard work to be done and if a vendor makes it sound like you won’t have to lift a finger, they’re not being honest.

A quick tip–any vendor that tells you their “solution” for your cybersecurity needs solves all of your security concerns or challenges, just doesn’t get it. There is no total or complete solution for cybersecurity, just points on a scale that lead you toward reduced risk.

3. Take into account your total cost of ownership over time.

There are some offerings out there that promise a wide range of incredibly sophisticated functions–and can actually deliver on them. Before purchasing such a system, consider whether it’s designed for education (and priced for it). If so, make sure you actually factor in the full cost of using it before going any further.

As an example, let’s say a school is evaluating a highly advanced product that helps gather log data and make sense of it. The school sees this great product, and makes a purchase. What they don’t realize until it’s too late is that sophisticated technology like this requires a very specialized set of skills to operate. They have neither the number of full-time employees they need, nor people with the right level of expertise to use it properly.

So, make sure you understand how many people will be needed to run a given product and what their skills have to be. Also keep in mind the costs of training and recertification, along with the opportunity cost of pulling staff away from their other duties in order to take care of these new ones. If you fail to factor all this in, you can end up with expensive products that can’t be maximized, and waste significant money and time.

4. Understand your contract terms.

Most everyone has done it: skimming through a lengthy contract, hastily initialing, and signing on the dotted line. Who has time to read all that, much less make sense of the Ts and Cs? Well… you need to.

Especially when it comes to cyber safety, your contract is essential:

• First, find out how transactional the relationship will be. Will you have ongoing support, or are you on your own once you buy the software, tool, or product? Do you need to pay a premium support contract in order to get access to faster help? Is there an expiration date on the support you receive after a set term, requiring you to make a supplemental purchase for additional assistance? These questions have to be answered before you sign an agreement.
• Second, make sure you understand the service level agreement (SLA) and costs. Does performing backups cost extra? What’s the divorce clause like? What assurances are given that any data provided as part of the service was stored properly (with lists of locations), destroyed properly (with details on methods used and attestations of completion), and within an agreed upon timeframe after the engagement ends. Does it require additional payment, and, most importantly, who owns your data if you break up?

Your terms should all be clear, fair, and in your school or district’s best interest, so take the time to evaluate your contract before making a purchase. And, just like with a risk assessment, if a vendor balks because you have questions or suggestions for the agreement, run–don’t walk–away from the deal.

Final Thoughts

Remember that cybersecurity requires expertise and proper guidance. Whether it’s someone on staff who understands cybersecurity and is qualified to advise you on it, a third party or virtual chief security officer (vCSO), or a volunteer expert from your local university, make sure you have help from someone who has walked the walk and can talk the talk.

As you prepare your cybersecurity program, keep in mind that you should plan to reevaluate it each year. Gone are the days when we plan five years out, because technology is racing ahead at warp speed. So, keep this in mind as you evaluate vendors and make plans. It’s never easy to sort through security purveyors but remember this: if something feels slimy, it’s probably snake oil.