- The first is the "CYA" crowd. These are people looking to cover their backsides for decisions they want to make. They've done their homework, they know what they want to do, and they are looking for the name-brand research firm to validate their decisions so senior management will let them move forward.
- The second group is lazy. These people don't want to do any work, so they look to the research firm to tell them exactly what to do. They look at the quadrant reports and call the vendors in the top-right corner. To be clear, the research firms definitely frown upon this use of their research, but it happens every day.
- The third category includes those that are looking to get smarter and use the research firm as a broad and long educational process on a certain topic. Clearly every company is different, but most published research tends to be generic.
Depending on which category an organization falls into, what it needs out of a research company will differ. As a CYA, the big brand name is important. For someone in group two, i.e. looking to get out of work, then the brand name usually suffices, but there are a number of smaller specialists that do deep technical and architectural work.
For someone in the third group, most of the research firms will do a decent job because the process is run by the enterprise. The enterprise security officer can direct the analysts to give the needed information and then verify decisions as he or she learns more about the topic.
And yes, I think it's worth the money -- as long as the buyers are educated and actually use the information they purchase to make good decisions and take positive action toward building a better security program.
Dig Deeper on Information security policies, procedures and guidelines
Related Q&A from Mike Rothman
The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ... Continue Reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.