Take these steps to carefully evaluate cybersecurity vendors--and if something seems too good to be true, it likely is

4 ways to avoid cybersecurity snake oil


Take these steps to carefully evaluate cybersecurity vendors--and if something seems too good to be true, it likely is

When it comes to cybersecurity, you want to do right by your students, your schools, and your district–but it’s not that simple.

The cybersecurity industry is massive, representing literally thousands of vendors in the United States alone, with the global cybersecurity market staged to grow to over $350B by 2026. The options are extensive and confusing, and sales teams have mastered the art of introducing fear, uncertainty and doubt into the minds of their prospects.

In a perfect world, sales teams that exist to protect organizations would be trustworthy and altruistic, but with that much scrap up for grabs, snake oil salespeople are out in full force trying to get your business. To help you sidestep this minefield, here are four steps to take with your cybersecurity program.

1. Conduct a risk assessment of potential vendors.

Before you start having conversations in earnest with vendors, conduct a risk assessment. If you wait until after you engage with a vendor to do this, you might find you’ve created a problem you could have avoided. Or, at the very least, you may have wasted a lot of time going through the sales calls and budget analysis just to learn it’s not a good fit.

So, as soon as possible, assess each potential vendor. If a vendor is resistant to this, consider that an enormous, bright red flag and promptly lose their number. For the other vendors who understand why you want to do this, approach it like you would when you conduct a risk assessment for yourself. Ask them questions along the lines of the following:

  • Do you have incident response plans?
  • Do you have security testing happening on a regular basis?
  • Is there an actual expert in security who performs updates on a regular basis?
  • If you build software, are you doing DevSecOps?
  • How are you handling your security testing before you push a fix out?
  • How willing are you to let a third party come in and audit you to create a general risk profile?

Also, remember that you should be very, very clear on the risk that a given offering is helping you to mitigate. If you are not absolutely sure of what risk a particular product solves for, pause and spend time gaining that clarity before moving forward.

2. Magic doesn’t exist.

Snake oil peddlers have perfected the art of their pitch, meaning they’ll make their security offering sound like a silver bullet. Remember, if it sounds too good to be true, it likely is. When it comes to cybersecurity, there’s no amount of technology that completely removes risk, negates the need for hard work, or can take the place of foundational cybersecurity principles like patching, strong password management, or multi-factor authentication.

Latest posts by eSchool Media Contributors (see all)

Want to share a great resource? Let us know at submissions@eschoolmedia.com.