on Wed Jan 20 ’16Mark Chapman – President & CEO of PhishLine
Part 1: Selecting a Vendor
Most organizations find that working with an experienced third party when implementing a security awareness testing and training program is easier than going it alone. Leveraging the vendor’s experience in conducting testing and training across the enterprise is a great way to shorten the learning curve and hasten the return on investment. Dedicated vendors can provide a broad set of experience, tools, and data that can help programs be more successful today and into the future. But first, you need to make sure you select the right vendor that can help you develop a program that meets your needs.
The following are important factors to consider when selecting a vendor and beginning to develop your program. Taking the time to think about them at the beginning will save you time and backtracking later on.
What is your intent?
Are you looking for an education only platform, or would you like the ability to combine both threat simulation and training? If all you need is an education platform, there are many vendors that can service those limited needs. Integrated platforms simplify the follow up process, validate the effectiveness of campaign content, streamline reporting, and future-proof the investment.
What vectors of attack are of concern?
Is your vision to test only email phishing, or would you like to be able to conduct voice, SMS and mobile media attack simulations? While all vendors have some of these components, each will have their particular strength. The ultimate goal is to choose a fully integrated platform that includes completely automated social engineering vectors with robust educational content.
What languages do you need to support?
Vendors typically provide multi-lingual content and custom language translation services. Be sure to consider regional dialects and you should always pilot content in your environment before a full deployment.
What particular security, privacy, and/or regulatory considerations need to be met by the prospective partner?
There is a lot of variation when it comes to security, with options ranging from software that is hosted on shared public cloud infrastructure to highly secure dedicated hosting facilities. Some vendors provide options for on-premise deployment.
Do you want the vendor to provide hosting of your own training content?
Vendors who can host SCORM compliant content can provide flexibility that can allow you to focus on the content and let the vendor handle the hosting. There are also options where you can host vendor training content on your existing Learning Management System (LMS).
Will you require significant customization of the training content?
Customization capabilities and costs widely vary between vendors. Many allow you to incorporate your own branding, logos, and styles. The ability to customize the actual curriculum with your specific message is another important consideration.
Does the vendor provide third-party content from other security awareness providers to broaden the training catalogue?
Training content needs to be fresh and objective. A one-stop shop can provide depth without introducing new vendor relationships.
Is malware analysis and centralized phishing reporting a requirement?
Do you require a plugin for your email client? If so, what email clients require support? Many vendors provide options. The lines are starting to blur between awareness vendors and incident response solutions. Be sure to consider if a best-of-breed or an all-in-one approach is the most appropriate for your environment.
Do you prefer to manually load user information and attributes or do you require integration with Active Directory, LDAP, or other identity stores?
The ability to securely automate the entire program is a compelling idea. Do not underestimate the time it will take to feed data to a solution.
Do you have specific reporting requirements?
It seems every vendor allows reporting data to be exported to Excel. Are you required to perform extensive gymnastics in Excel to get the data you need? Look for a vendor that allows for custom reporting and analysis in a format that is ready for you to use.
Are there other systems or data sources that you would like to integrate with the testing and training platform?
Risk based solutions tend to work better with more data. Vendors provide several approaches, which may help take your program to the next level by extending the teachable moments to the Teachable Moments that Matter™. Application Programmer Interface (API) options can help you leverage the data and capabilities otherwise trapped in a vendor solution.
Do you require a Software as a Service (SaaS) model or would you like a fully managed program?
What resources are available to assist with planning in both the SaaS and Managed service model? From turn-key consulting solutions to customizable SaaS platforms, you will be able to find multiple options in the marketplace.
While this list is not exhaustive, it will help you determine what you need from the program and to narrow down your search to a few providers. Remember to focus on finding a vendor that can provide the key capabilities you require to make your program successful.
Learn More in Part 2/2: Developing the Program.