In my last post “Why FOI?” I talked about some of the reasons security investments fail. One of the things that I mentioned in passing was purchasing the wrong technology for what you are trying to accomplish. In other words not defining your requirements prior to making a decision on what to buy.

Most vendors that are worth their salt will help you with this as you are looking at different options. One of the first questions that they should ask is “What are you trying to accomplish?” Then the second question should be “Have you defined requirements?” If you have not defined requirements then they should be willing to step back and wait. That doesn’t mean that they go color until you call. They may be able to give you some insight into what some of the requirements should be. Many technologies are going to have very similar requirements at a base level and they can help you define those. They may also be willing to give you some guidance in going deeper in your requirements.

If you don’t know what your requirements are then how will you know what solution best meets your needs? How will you know if you are buying something that will make you more secure and not less secure? You can’t take the vendors word here because they don’t know your environment and business need. They may sell you what they think will work for you but in reality it may miss a major need that you have. It may work against other protections that you have in place. It may make you less secure as a whole.

Requirements are required if you hope to be successful in protecting your data. You have to be able to answer the who, what, when, where and how if you want the technology you buy to do what you think it will do.