As an IT decision-maker, navigating the vast array of security solutions on the market can be daunting. Identifying your organization’s specific needs and selecting the right vendor to meet them has become more challenging than ever. The abundance of buyer's guides, some vendor-sponsored, others claiming to be independent, can make it overwhelming to determine which direction to take or which reviews to trust.
In the identity security landscape alone, you must assess whether your organization needs privileged access management (PAM), identity and access management (IAM), identity governance and administration (IGA), or a combination of these, possibly delivered as an integrated platform. Adding to the complexity are “lite” software versions, modular pricing options and deployment options for on-premises, hybrid or fully SaaS-based solutions.
The variety and choices of delivering the service are many. So, how can you identify your organization’s needs and ensure a vendor delivers the right solution? Asking a few strategic questions as outlined below can help streamline your search and focus your efforts.
Examining the Contenders
While the IGA market is well-established, new players continue to emerge, adding to an already crowded vendor landscape. With countless options to evaluate, attempting to review them all is impractical. Instead, focus on creating a targeted shortlist of vendors that align with your business needs.
To create your shortlist, aim for a balance of established vendors, challengers and emerging players. Conduct thorough research to understand the vendor landscape. Identify the key players, their specialties, the range of products they offer, their core capabilities and what they claim makes them unique in the market.
Begin by carefully and truthfully identifying your primary pain points. Ask yourself what is truly needed to achieve the desired business outcome. Compare the functional capabilities that matter most to your organization and evaluate how well they align with the vendor’s roadmap. Does the vendor support your target operating model, or are you an edge case for their solution? Also, consider whether you truly need all the advanced features or if a simpler approach would suffice.
Evaluate which vendor(s) align best with your company's characteristics. If you're a smaller or less mature organization will an industry heavyweight provide the level of service you expect? Reflect on past commercial relationships with potential vendors — what went well, and what didn’t? Based on your interactions, identify which vendors you trust and why. Relationships matter; strong partnerships can significantly influence a project’s success. Consider whether you have an existing or previous relationship with any of the vendors, as this could be worth revisiting.
If you’re looking at new entrants into the market, research their stage of maturity, For example, how many rounds of funding they have taken so far and whether they’re likely to be acquired (as this could change their technology roadmap). How do these companies compare to your maturity level? Can they scale with you based on what you are trying to accomplish?
Analyst reports, crowd-sourced review sites like PeerSpot and respected industry rankings like the Gartner Hype Cycle or the Forrester Wave can be an excellent place to help with some of this research.
Questions to Ask a Prospective Vendor
Once you’ve got your list of companies to talk to, there are some key questions to ask them. First, consider your company strategy and how others expect your product or service to be consumed internally. For example, “Are you a SaaS or cloud-first company? Do you require autonomy over the service such that it's an on-premises deployment for which you are responsible?”
Ensure you compare apples to apples and not apples to oranges. Comparing a vendor best known for on-premises or hybrid deployments to a cloud-native vendor may not be a fair comparison.
Other important questions to ask:
- Why do your customers select your company?
- Who do you see as your top three competitors, and why?
- If you could change one opinion about your company and product, what would that be?
- How many other customers of our size and complexity do you have?
- What are the limitations of your product service in terms of customization? Can you share an example where a customer required a feature you couldn't provide?
- If your target operating environment is cloud-based, how many cloud environments are included in this pricing? What's the pricing for additional environments, and how much control do I have over their orchestration?
- Have you had any security breaches or compliance failures in the last five years? How were they handled, and what changes occurred to ensure they wouldn't happen again?
- How many significant clients left you in the past two years, and can you explain why?
- How do you prioritize customer-driven changes in your product roadmap?
- How has your roadmap been delivered over the past 24 months?
A Fruitful Evaluation for Success
There are hundreds upon hundreds of security vendors today. Some offer a whole gamut of services, and others provide just one or two (sometimes niche) solutions. This can make it extremely difficult to figure out what your organization needs overall; even for just one slice of this pie, identity governance, there are an overwhelming number of choices.
You need to understand your primary factors and align with what vendors are offering. The most expensive is not always the best, and the top-right analyst review may not always deliver the best capabilities for you. Consider using the clarifying questions noted above as a baseline to ensure you get the best solution for your organization's requirements without being sold a bill of goods or upsold on solutions you don't actually need.
