In addition to asking about specific features, there are several questions that are worth asking vendors. The following questions help in understanding the maturity of products and focus on potential breakpoints of projects.
Do you specialize in serving specific industries?
Large vendors will have customers across most industries. Some smaller vendors may focus on specific industry sectors, such as retail, media, health care, finance, etc. In some circumstances, vendors with experience and focus on the industry that is specific to your organization may provide more value.
What are your key differentiators?
Understanding the key differentiators between the vendors is essential. Ask the vendor what their unique capabilities are. For example, agentless scanning, attack path analysis, how vulnerabilities are prioritized, tracking back vulnerabilities to the application code, risk analysis.
What certifications and attestations have you obtained for the solution?
Certification of the solution against security standards as well as industry regulations not only confirms compliance; it also demonstrates the vendor’s commitment and conveys trust. Security certifications such as ISO27001 and attestations such as SOC 2 as well as the relevant industry regulations and standards should be considered. Note that the solution itself should be covered, not just the cloud service that is used to deliver it.
Does your solution help customers with regulatory or standards compliance?
Depending on geography and industry sector, organizations are often subject to a wide range of regulations. These regulations usually include obligations to protect financial data, such as PCI-DSS, and personal data protection such as GDPR, California’s CCPA and HIPAA for US health care providers. How does the solution of your organization meet your obligations under the relevant laws and regulations?
How does your solution support a hybrid multi-cloud strategy?
Organizations are exploiting multiple clouds as well as on-premises and edge computing. How does the solution help to support the mixture of environments in your organization, as well as your prospects for cloud migration?
How does your solution integrate and interoperate with other tools?
Does the PAM solution integrate and/or interoperate with tools such as vulnerability management or incident management tools. Consider how PAM may integrate with other business IT tools such as ITSM, GRC and IGSA tools
What systems and development environments are supported?
There is a wide range of development environments, CI/CD pipelines, and orchestration tools. How does the solution support the ones that you are using and your plans for the future?
How does your solution achieve scalability and high availability?
Does the solution scale sufficiently to meet your needs for application development, deployment, and migration? Are there any limits that you need to consider? How can the solution be configured to meet the levels of services availability that your organization requires from the services? How does the service help to manage incidents that impact on the services being managed?
What is on your short-term and long-term roadmap?
The list of features on a vendor's roadmap is a good indicator of their innovativeness and the vendor's ability to support emerging use cases. What features are expected in the near or long term (e.g., 3, 6, or 12 months out)?
What are the emerging trends that you are seeing?
Threat actors are constantly innovating, and security solution providers are usually aware of their changing tactics. If the CNAPP vendor has special expertise in finding and deterring the kinds of cyber threats your organization is experiencing, then this topic merits further discussion.
Can I speak to some reference customers?
Finally, it is usually enlightening to speak to one or more reference customers. It is most helpful when the reference customer is in a similar industry and region.