Starting a Validation—Don’t Make All of Your Decisions up Front

A security validation is a substantial process—getting it started can be daunting. But you don’t need to decide everything up front—in fact, you shouldn’t. There are definitely some important considerations to work through, but there are some decisions you should put off until you are well into the process. If you have been tasked with getting a security validation done for your product, where to begin is, in fact, one question you need to answer. If you are like most people, you start by reading and researching the security standards, evaluation laboratories, and validation consultants. Then the feeling that you need to start making some decisions sets in. Assuming you are still open to suggestions, stop right there. There are things you need to work on, but making decisions is not one of them. Keeping an open mind at this stage is critical to the future success of your validation effort. If you aren’t making decisions, what should you be doing? Here are some crucial first steps:

  • Understand what your ROI looks like. Do you understand why you are getting a security validation? What could your sales team do if they had a validated product in their arsenal? Understanding your potential ROI will be be critical when you start making decisions later in the process.
  • Get the support of major stakeholders. If your sales team is asking for validation, is the engineering team on board? What would it take to get them on board if they are not?
  • Identify the budget. Security validations are not inexpensive. Making sure you have appropriate budget is important for success.
  • Find out when your next major release cycle will be. Chances are, changes are going to need to be made to your product. Understanding when those changes could fit into a product release will be key.

What decisions should be deferred?

  • The “level” of validation you should pursue. You need to understand a lot about the path through certification before you can make this decision. It is good to have an idea of what is required to meet your ROI goals, but typically there are many options for product vendors to consider before making this decision.
  • Which testing laboratory to use. The choice of a testing laboratory should be made based on experience, availability, cost, and several other factors. Making this choice before you understand how to make these tradeoffs unnecessarily limits your options.
  • Which scheme/country to choose. Many security validations are done in multiple countries. There are reasons to have your validation work done in one over another. You need to understand these reasons and how they apply to your product and goals before you make this choice.
  • A validation boundary. Deciding what to validate, which seems like it should be a very obvious choice, is almost never obvious. After 15 years, I begin every new engagement with a customer asking them to stay open minded as to their validation boundary until we explore the technical and business issues surrounding a validation. This decision is best delayed as long as possible.

Starting a validation requires a lot of considerations and research. But it doesn’t require you to have all the answers up front. Learn as much as you can without closing off any avenues too soon. The more you know, the better your decisions will be at the appropriate time in your process. Learn how Corsec can help you with the considerations and decisions required in your security validation process. Click here to contact us and receive more information.

Leave a Comment