In this blog post
As global IT is rapidly being digitalized, the network security requirements of major businesses are offered as Out of The Box (OOTB) IT security products by IT OEMs (Information Technology Original Equipment Manufacturers).
The products offered by OEMs adhere to global standards like ISO/IEC 2700, NIST, GDPR, CCPA, and PDPB, which leads to businesses buying licenses for the end products with the intention of saving time and money. However, while integrating, deploying, and maintaining the product solution, the intention of owning the product is violated.
This article focuses on the customizations of the OOTB products that should be avoided, and steps for tuning the customization of the requirements in the licensed products.
Customization is desirable when it lies within the OOTB product’s radar. Moving beyond the limits leads to multiple operational challenges.
Customizations that are narrower in scope end up being under-utilized. There are certain customizations that can very well be done without. It is ideal to conduct an analysis to validate whether the time and money invested for such customizations will give proportionate benefits/returns.
Product OEMs should be consulted on matters of future releases and implementations before taking such decisions. Choosing the right implementation partner is equally important. Failing to do so may result in issues in production systems, in terms of Audit, Governance, Security, and Operations. Realizing the flaw in later stages costs businesses heavily. Extensive testing must be conducted to ensure the end-to-end capabilities of the OOTB product are not violated.
Listed below are few observations based on my discussions with executives who have faced such issues in ongoing and completed implementations.
Customizations to Avoid
- OOTB products are customized by overwriting thousands of lines of code. It makes the product tightly coupled to the network and makes the future upgrades and migration of the product complex.
- Disregarding the recommendations of product architects & SMEs and making customizations to the existing capability of the products to meet the isolated requirements of a business leads to further hidden issues in the products. Finally, what the business demands is to customize, which violates the intent of the OOTB product.
- Random customizations make the products compatible with the existing enterprise architecture which makes the network vulnerable.
Below are some challenges:
- OOTB designed products are unable to consume the business data as it is in some cases
- Some business users are not willing to migrate to new systems, or unable to educate the users to utilize the new systems.
- OOTB APIs are not utilized in places where it is required.
Cons of Customizing
- OEMs provide support for OOTB features only and not for customized ones.
- The impact of customizations on the product’s performance, optimization, and security is not always clear.
- Audit and Governance are not manageable if the customizations are not end-to-end.
- The above issues may lead to a lower return on investment for the customizations
Steps to Avoid Major Customization
For New implementations
- The Road Map and strategy should be derived by doing a detailed analysis of the current and future state while selecting the product solution.
- PoCs for requirements of the future state should be done with multiple products which offer similar services in the market to select the right one.
- Future requirements vs product compliance matrix should be validated.
- Gap analysis between the current state and future state should be executed through discussions with product owners and key stakeholders in the business.
- Implementation partners could be engaged in such activities which could refine the analysis and offer their expertise on working with multiple similar products in the market so that the outcome (product selected) is best in terms of cost and techno-functional requirements.
For existing implementations where the product solution is already deployed
- OOTB product features should be utilized efficiently by vendors, partners, and service providers.
- To utilize the OOTB product, massaging the existing dataset or minimal restructuring post risk analysis is acceptable. This exercise should be done before onboarding the product solution.
- For any new requirement which is not OOTB, rather than customizing the product solution independently as an end-user (business entity), a collaborative approach with implementation partners and OEMs’ professional services (minimal) should be taken. This can help address the complexity of requirements without any major roadblocks in the implementation in terms of security and performance of the product solution already deployed in the network. In this approach, support from the product team is available too, which is a great plus.
Role of OEMs
OEMs should take the necessary efforts to understand the needs of the customers and deliver relevant products. This will help in ensuring a positive client experience.
Below are few things the OEMs should consider:
- OEMs should have periodic discussions with clients, service providers, and partners, and collect inputs to upgrade their product and remain competitive.
- Client-specific local customizations which could be utilized by global clients should be encouraged and implemented.
- OEMs should implement the latest technologies and trends in OOTB products sooner than later.
- OEMs could use the same technical terminologies across the products which offer similar services, as of now individual products use their own which is not a client and user-friendly.
Since security is the top priority for all, above discussed improvisations, tips and pointers should be followed by all the IT OEMs in the market who produce IT network security products.
Customizations in IT security products are not avoidable. But it should be minimal and configurable based on the business-specific requirements and not major enhancements.
OOTB vs Customization Ratio