AWS and Cloudanix team co-authored this blog: Real-Time Threat and Anomaly Detection for Workloads on AWS

The Data-Driven Approach to Cybersecurity Vendor Selection

Richard Stiennon shares a data-driven approach to cybersecurity vendor selection, moving beyond peer insights to requirements-based evaluation.

In the increasingly complex and rapidly changing landscape of cybersecurity, the decision to invest in a vendor or platform is one of the most critical challenges facing security leaders. The key to navigating this is moving beyond reliance on peer insights or industry hype and adopting a data-driven, requirements-based approach, while constantly adapting to emerging threats like automation and supply chain attacks.

We spoke with Richard Stiennon, Chief Research Analyst at IT-Harvest and author of Security Yearbook 2024, about his insights on vendor selection, the true value of analyst reports, and the evolution of network security concepts like Intrusion Detection Systems (IDS).

You can read the complete episode transcript here >

How Should Organizations Select a Cloud Security Vendor?

While many organizations select vendors based on peer recommendations, value-added resellers (VARs), or industry analyst endorsements, the most effective approach is to treat the process like buying a car: start with a full market view and your specific, data-backed requirements.

Common, Less Ideal Selection Methods

  • Peer Insight: CISOs often look for peer insights, selecting a product if somebody they respect in a bigger organization uses it (e.g., “went with CrowdStrike, then let’s do that”). This is a surprisingly common practice.
  • Reseller Influence: A value-added reseller may recommend a product they believe is best, though they likely selected it based on what is selling the best.
  • Industry Analysts: Analysts may ask questions that elicit what the client is already leaning towards, often giving a “stamp of approval” to the client’s decision rather than offering a truly definitive choice, as their answer is typically “it depends”.

The Requirements-First Approach

  1. Define Requirements: Start by defining your requirements, even if you are unsure what they are initially. Determine what layers of defense you need to cover, such as network access control, workload protection, and identity protection (PAM, customer, user, or third-party).
  2. Evaluate Cloud-Native First: Before purchasing a third-party product, check if the cloud provider already offers the solution—it is often close to free. Third-party vendors often put a “nice front end” on the cloud provider’s offerings and charge a lot for better management.
  3. Proof of Concept (POC) is Easy, but Be Skeptical: POCs for cloud security products are often “mind-blowing” and can be set up in minutes, quickly revealing critical misconfigurations. Don’t immediately say “yes” to the first vendor; get at least two other quotes and try them out.
  4. Vendor Assessment: Evaluate the vendor’s viability and health. Consider their headquarters location (e.g., Chinese or Russian) and whether they are in the process of being acquired, which can introduce instability.

The Multi-Cloud Consideration

In a multi-cloud setup, the selection process changes because you generally cannot rely on one cloud provider to service the others. You lose the benefit of the native, integrated capabilities that the individual cloud providers offer.

  1. Tool Agnosticism: You must look for tools that can handle multiple environments, which most multi-cloud solutions do.
  2. Question the Value: Richard often questions the value of multi-cloud until later stages, suggesting that initial “multi-cloud” should be one cloud provider plus your own data center (doing bare-metal cloud stuff).
  3. Open Source: Small companies with technically savvy people often turn to open source for multi-cloud solutions.
  4. Native Capability Loss: You lose the benefit of the native capability that individual cloud providers offer.

Do Gartner’s Reports Actually Matter, and Can Vendors Buy Their Ranking?

Industry analyst reports, such as Gartner’s Magic Quadrant, hold significant weight, but their influence and integrity are often misunderstood.

  1. Ranking Integrity: Vendors absolutely cannot purchase their ranking in Magic Quadrants or other reports. Analysts are typically insulated from knowing how much a vendor spends. Gartner remains independent because vendors are only 10% of their revenue; the majority comes from selling advice to CISOs and executives.
  2. Purpose: Gartner customers tend to be late adapters who do not buy the latest and greatest. Gartner serves a good purpose by giving these CIOs and CISOs really good advice about what other large companies are doing, providing approaches and even pricing information.
  3. The Failing: The primary failing is that analysts give their opinions rather than the data needed for a client to make a decision themselves. They may miss smaller, regional, but perfectly viable vendors that would offer excellent customer support (e.g., a UTM vendor in Perth, Australia).

How Can Organizations Avoid Checkbox Buying and Overcoming Leadership Constraints?

A major mistake is checkbox buying—selecting a product simply to meet a compliance or customer requirement.

Avoiding Checkbox Buying

  • Dual Purpose Tools: Ensure that the product, while fulfilling a compliance requirement (e.g., “we got logs”), actually makes you more secure. The tool should also give you more visibility, recoverability, and resilience.
  • Use Real Frameworks: A mature organization will already have adopted a framework like NIST and will know what security gaps they have (e.g., lack of coverage in one of NIST’s 23 areas).

Dealing with Leadership Constraints

When leadership has non-security motivations (e.g., “we have to use CrowdStrike” because of a marketing partnership), security teams must work around the constraints.

  • Pad the Solution: If forced to use a specific vendor (e.g., CrowdStrike), you can “pad it” by adding other solutions (e.g., using Defender to catch viruses, which is often already paid for) to beef up and work around the constraints.
  • Desktop Exercises: Use tabletop exercises (desktop exercises for incident response) to find gaps in process and visibility. This is the most important thing you can do, and it can save you so much during an actual incident.

What Implementation and Vendor Management Practices are Essential?

Contracting and Phased Rollouts

  • Payment Terms: Try to include terms in the contract that you will not pay the vendor until the product is up and running. This incentivizes the vendor to prioritize implementation.
  • Training & Support: Ensure that professional services, training, and the ability to extend support are included in the contract, though cloud security often needs very little configuration.
  • Phased Rollout: Do not use a “big bang” approach. Use phases of implementation and roll out endpoint solutions incrementally (e.g., on IT people’s desktops first). This allows you to learn and prepare users for the change.

Zero Trust for Updates

This is an application of Zero Trust: Do not trust the vendor to have perfect updates.

  • SaaS Risk: With SaaS solutions, the vendor can change the solution all day without telling you.
  • Build in Delays: Do not have a process where the vendor can auto-update software (especially agents on your endpoints) and you just accept it. Build in delays (e.g., 24-hour delay) to let other organizations do the initial testing for you.
  • Testing: Organizations with good testing processes would have discovered the issue and not implemented the update.

Where Should Organizations Start Their Zero Trust Journey?

Zero Trust is quickly becoming the new normal in cybersecurity. While it is a little more “ephemeral” than a layered defense model, it is a framework that helps organize security thought.

  • The Engineer’s Mindset: An engineer (like Richard) thinks in terms of a layered defense model: stop attackers, identify what they will attack (endpoint, network, data), and secure each layer.
  • Starting Point: You can adopt a Zero Trust framework to guide your existing work and shoehorn it into the model.
  • Graduated Trust: Zero Trust is more accurately “graduated trust” or “dynamic trust”. You give more trust based on credentials, and less trust based on context (e.g., logging in from China).

Is Intrusion Detection System (IDS) Dead? The Evolution of Network Security

Richard Stiennon is known for his 2003 pronouncement that IDS was worthless. His argument was rooted in the lack of action taken on the millions of alerts generated.

  • The Problem with IDS: IDS was designed to look at stuff that does get in by generating alerts when a signature of bad stuff was seen. However, in two years at Gartner, Richard never met one team that had 24x7 coverage for IDS—they were capturing alerts but not doing anything with them.
  • The IPS Solution (Action vs. Alert): If you have a signature for an attack, why create an alert when you can stop those packets and shut off the connection?. This ability to stop the packets is Intrusion Prevention System (IPS).
  • The Legacy: The market for selling IDS evaporated. This created two new industries:
    • MSSPs (Managed Security Service Providers): A way to outsource the problem of ignoring logs to somebody else.
    • SIEM (Security Information and Event Management): A place to store alerts (data management platform) that people can also ignore. The ultimate takeaway is that action versus alert is the key: if you’re not taking action, the system is pointless.

What are the Most Critical Emerging Threats, and How Should CISOs Handle Burnout?

Emerging Threats: Automation

The most critical emerging threat is more automation on the part of the attackers.

  • Speed: Attackers will not take weeks to break into systems; they will take minutes using AI tasked with picking from a library of exploits. Two minutes later, they could have everything they were after from a critical resource.
  • Defense: Organizations must start being prepared to turn on automation now, pushing the boundaries of SOAR solutions. They must become comfortable with a tool using AI to reset a TCP/IP connection or shut off an API call, as debugging that is less onerous than dealing with a mass data theft.

Burnout for Security Leaders

With 73% of CISOs and security leaders reporting burnout, Richard’s advice is to think big picture and step out of the current situation.

  • Perspective: Don’t let a specific thing that’s happening consume you. Have a backup plan and know that it’s not the end of the world for you personally.
  • Preparation: You should not be making new decisions during an emergency. Pre-planning (e.g., knowing who to call at the FBI or SEC) and practicing/rehearsing the incident response plan through tabletop exercises will save so much stress.
  • Leadership Role: A leader’s job is to get the resources so the team isn’t stressed or burned out.

Final Conclusion: The Path to a Resilient Security Posture

The modern security landscape demands that leaders abandon outdated practices like checkbox buying and embrace a data-driven approach to vendor selection. Resiliency is not achieved by trusting a single analyst opinion or relying on automatic updates. It is achieved through pragmatic Zero Trust—using real requirements, vetting vendor health, enforcing phased rollouts, and building delays into software updates. As attackers increasingly leverage automation, security teams must prioritize SOAR capabilities and accept that rapid, automated response is the only defense against minute-scale breaches. Ultimately, the ability to think big picture and be meticulously prepared is the key to minimizing stress and navigating constant change.

People Also Read

Continue exploring Cloudanix

Connect this concept to the platform

These learning topics are most useful when tied back to cloud posture, identity, runtime, data, and agent workflows.

Platform CNAPP+

See how Cloudanix connects code, cloud, identity, data, access, and AI agents in one graph.

 Detection Cloud Detection and Response

Move from isolated logs to graph-backed cloud investigation and response.

 Graph Attack Path Analysis

Prioritize vulnerabilities and misconfigurations by reachability and blast radius.

 AI Security Agentic AI Security

Secure coding agents, MCP tool access, and temporary cloud credentials.

What Our Users Are Saying

Customer Reviews

Cloudanix is trusted by security leaders worldwide to deliver proactive, reliable, and cutting-edge cloud security.

One day, I changed the password of a root account, and my CTO called me within less than a minute to confirm if I did so. I was not expecting a reaction this quick. He told me Cloudanix alerted him of this password change and that he wanted to confirm as it was a critical security notification. I couldn't believe it!

Ritesh Agarwal
Ritesh Agarwal
CEO, Airgap Networks

Compliance is one way of staying secure, but what I want is the ability to go deeper and attain 'true security.' Cloudanix provides us the capability to do so.

Vishal Madan
Vishal Madan
Head of Engineering, iMocha

Cloudanix is building for the future of the cloud, which makes the product all the more desirable.

Ritesh Agarwal
Ritesh Agarwal
CEO, Airgap Networks

Cloudanix gave us the visibility we were missing. Being able to move from permanent access to a robust Just-In-Time (JIT) workflow has fundamentally changed our security posture without slowing down our engineering velocity.

Pavan Kumar Lekkala
Pavan Kumar Lekkala
SRE Lead, HugoHub

We are excited to leverage Cloudanix's comprehensive multi-cloud DevSecOps solution to secure our production workloads on AWS. Cloudanix has demonstrated that it can solve many challenges that DevSecOps teams face while continually adding new features such as SOC2 compliance and drift detection.

Satish Mohan
Satish Mohan
Co-founder & CTO, Airgap Networks

Managing third-party partner access was once a major concern for our security posture. With Cloudanix JIT Cloud, we've effectively achieved zero third-party risk. We can now grant access confidently, knowing that it is temporary, audited, and automatically revoked, resulting in a 100% reduction in our privileged access exposure.

Okesh Badhiye
Okesh Badhiye
Head of Technical Engineering, Finfinity

The snooze feature and responsible alerts have helped us save time and prioritize what to tackle first.

Satish Mohan
Satish Mohan
Co-founder & CTO, Airgap Networks

Implementing Cloudanix JIT internally allowed us to practice what we preach. By eliminating permanent access to our own clouds and databases, we've neutralized the risk of standing privileges, ensuring our own 'keys to the kingdom' are never left exposed.

Girish Manghnani
Girish Manghnani
Managing Partner, Tech Inspira

The problem with permissions is a lot of times, the gaps are left open due to oversights from inside the organization itself. With Cloudanix's CIEM, we get a complete view of user permissions and access. This enables us to update the permissions, reducing the attack surface.

Nilesh Pethani
Nilesh Pethani
Application Architect, iMocha

In the world of Fintech, trust is our currency. Cloudanix provided the frictionless visibility we needed to secure our EKS workloads across AWS, ensuring we stay audit-ready for SOC2 and GDPR without slowing down our engineering velocity.

Amol Naik
Amol Naik
Head of Security & Infrastructure, HugoHub

Cloudanix delivered value within 5 minutes of onboarding. Continuous monitoring, timely detection, and excellent documentation helped us attain a great cloud security posture.

Divyanshu Shukla
Senior DevSecOps, Meesho

Technology strategies and business strategies are in a state of constant change which includes centralization and decentralization of responsibilities. Regardless of strategic shift, we still have intellectual property to protect. Cloudanix are critical partners for us in our public cloud security posture across our three cloud providers.

Jerry Locke
Jerry Locke
Senior Director Global Solutions Engineering, Eversana

Cloudanix has been amazing. They opened up a common Slack channel with us — and it feels like we are talking to our own team and getting things done with Cloud security. The support team is always available, friendly, helpful, and ready to go out of their way.

Satish Mohan
Satish Mohan
CTO, Airgap Networks

Beyond just access management, Cloudanix CSPM has given us a unified view of our AWS environment. The real-time alerting and anomaly detection allow us to prevent any untoward activity before it happens, which is critical for a marketplace connecting 50+ financial institutions.

Okesh Badhiye
Okesh Badhiye
Head of Technical Engineering, Finfinity

For a Fintech company, data is our most valuable — and most sensitive — asset. Cloudanix DAM hasn't just improved our visibility; it has given us control. The ability to mask data and prevent unauthorized queries in real-time is a game-changer for our compliance and customer trust.

Jiten Gala
Jiten Gala
President Engineering and Product, Kapittx

Our clients, especially in the Middle East financial sector, demand absolute accountability. Cloudanix JIT Cloud has been a competitive differentiator for us, allowing us to provide secure, governed access to customer accounts that meet their strictest audit and compliance requirements.

Girish Manghnani
Girish Manghnani
Managing Partner, Tech Inspira

Cloudanix is always on my team's lips because of its exceptional support. Be it a small or big query, Cloudanix has gone above and beyond to resolve them. This one's a keeper for us.

Sujit Karpe
Sujit Karpe
CTO, iMocha

For a long-lasting partnership, great support goes a long way. Cloudanix has delivered exceptional support whenever required. Their edge is their team is always ready to go beyond to solve any issues that we have. This speaks volumes about the culture at Cloudanix.

Akash Maheshwari
Akash Maheshwari
Co-founder, MoveInSync

Beyond the technology, Cloudanix feels like an extension of our own team. Their willingness to stand up a dedicated Middle East tenant for us and provide exceptional support at a sensible price makes them a long-term partner for Hugosave.

Surya Tamada
Surya Tamada
CTO, HugoHub

The real-time notifications that Cloudanix provides are a real lifesaver. Their adaptive notifications ensure that my team stays productive and doesn't get interrupted all the time.

Digvijay Singh
Staff Security Engineer, Meesho

The whole point in technological evolution is to help improve the world we live in. We must protect that and to do so requires an effective and efficient security strategy. The Cloudanix team helped make our public cloud security posture management strategy a reality. The symbiotic relationship we have allows for a continuous feedback loop which is how business should operate.

Larry Wheat
Larry Wheat
Staff Solutions Engineer, Eversana

Ready to see your graph?

Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.

Book a Demo