This is a summary of an article written for the Forbes Technology Council by Fortinet’s Founder, President, and CTO, Michael Xie. The full article can be accessed here.
As digital business drives the rapid expansion of the network, organizations find themselves having to quickly select critical things like applications, devices, and services. Nowhere is this decision more critical than when selecting security vendors and services. However, the vast numbers of vendors and solutions available can make that decision-making process extremely challenging.
“Imagine self-diagnosing all your medical decisions based on pharmaceutical advertising -- with no standards for the claims made and no way to verify the benefits and risks -- it will give you an idea of what most CISOs and their teams must contend with when selecting security vendors and services.”
The problem is that no two vendors use the same standards for marketing the performance and functionality of their solutions, so comparison shopping is nearly impossible. When it comes to security, the stakes are extremely high.
“No one can choose to opt out of whether their utility providers or retailers use digital networks. Add to this complexity the fact that the services [security vendors] provide are often extremely technical and highly specific to the needs of rapidly changing networks and systems. And if that weren’t enough, customers now have more choices and companies have more competition than ever before.”
As a result, other than running their own test labs, organizations are too often forced to base critical decisions on nothing more than assurances from vendors. Thankfully, a simple solution to this challenge is available: Independent, third party labs that use real world environments to validate that security products actually do what they claim.
“The rise of third-party testing is helping shape and clarify industry standards, allowing customers to make well-informed decisions and providing security vendors with extremely valuable feedback on the real-world performance of their products. And while many security providers may be tempted to inflate their results -- especially when they are funding the testing of their own products -- third-party testing companies are actually disincentivized from doing this…because their professional reputations are directly tied to the quantifiable reliability of the tests they conduct.”
Independent testing not only allows consumers to accurately compare solutions from different vendors using common criteria, it can also “expose those weaknesses in a solution that the vendor may be trying to obscure from view.”
Of course, consumers still need to understand what they are looking at when reading third-party test results. It is important to research test data to ensure that the testing criteria used match your organization’s requirements.
These third-party labs do more than just provide consumers with a level playing field from which to assess and select solutions. They are also very valuable to the vendors, providing specific feedback not just on their solution, but in relation to other vendors competing in the same space, allowing them “to improve their focus and streamline their improvements across their entire security portfolio.”
As third-party testing becomes increasingly common, the lack of participation in independent verification itself could also serve as an important red flag. Customers would be right to have concerns about security vendors that avoid or downplay the benefits of third-party testing. Because not only does it keep everything honest; it also drives innovation and improvements. And in the business of cybersecurity, those improvements don’t just make companies better -- they make us all safer.
This is a summary of an article written for the Forbes Technology Council entitled, In A World Where Digital Is Not Optional, Independent Third-Party Testing Is Critical, written by Fortinet’s Founder, President, and CTO, Michael Xie and published on Forbes.com on May 14, 2019.
Find out how Fortinet’s Security Fabric delivers broad, integrated, and automated protection across an organization’s entire digital attack surface from IoT to the edge, network core and to multi-clouds.