Information security vendors seem to have all the right stuff. In the last few years, they have cropped up with solutions for seemingly every possible security need. Be it software, appliances or cloud-based services, they have just what you need to address all the threats and risks your business faces — at least that’s what their marketing and sales folks will tell you. From general regulatory compliance and risk management to more specific solutions for data leakage prevention, mobile encryption and malware obliteration — there’s no reason your information systems should not be completely secure, right? Not hardly.

Don’t jump on the bandwagon just yet. There are some signs that you are not ready to buy any new information security products — regardless of what the vendors promise. Here they are in no particular order:

1. Management runs the business in a vacuum and has no clue about information security.
2. An outsider has told a decision maker inside your business that all they need is a certain technology or two to be safe and secure without either person truly understanding the risks and what’s best for your specific business situation. It’s not hardly that simple.
3. Management believes that everything is locked down because they funded that firewall and anti-virus software purchase last year.
4. Management funded a high-level audit performed by a non-technical auditor with clipboard and a checklist where everything checked out A-OK.
5. You don’t truly know what it is that you are trying to protect and what you are trying to protect it from.
6. What you are trying to protect is worth less than what you will have to spend to protect it (both initially and ongoing). With all the regulations around personally-identifiable information these days, this one’s hard to refute, but I’ve still seen overly-fancy security controls guarding electronic information that’s not worth anything to anyone.
7. Users are trusted by management to do the right thing in every situation. After all, they had sparkling references and passed a background check when they were hired. No point in protecting them from themselves.
8. You have no formal security policies stating “this is how we do it here” that have been formally documented, approved by management and are supported and enforced by an IT governance/security committee. Otherwise, you simply have a wish list for information security and compliance that will never stand up against real risks — even if you have a bunch of fancy technical controls in place.
9. Perhaps most importantly, you have not enabled the security controls that are already built into your operating systems and applications, such as strong authentication, file and database access controls, encryption, personal firewalls, patching, logging and so on. So many of these are overlooked, yet they can offer a ton of value without you having to spend an extra penny on third-party solutions.