Links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-camry-security/) The Camry is not the fastest car, nor is it the sexiest. But, it is one of the most popular cars because it delivers the best value. When CISOs are looking for security products, are they also shopping for Camry's instead of "best of breed" Cadillacs? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Lee Vorthman (@leevorthman), sr. director, global security engineering and architecture, Pearson. Thanks to this week’s podcast sponsor, SpyCloud. Learn more about how you can protect employees and customers from account takeover with SpyCloud. On this episode of Defense in Depth, you'll learn: CISOs have budgets and they simply can't purchase the most expensive and best option for every InfoSec need. Good enough is often exactly what they want. It's often not possible to take advantage of all the features on a Cadillac-type security product. So you end up paying for shelfware, or tools that never end up being used. The tool's complexity factors into the cost. This is often an argument against open source software which has been branded, most often by the proprietary software community, as "tough to use." Each tool creates a new demand on your staff in terms of time and complexity. What new costs are you introducing by acquiring and deploying a new tool? "Best of breed" everything can also turn into an integration nightmare. If you don't need everything a company is trying to offer, try to de-scope the requirements. Some companies are so big that they have no choice but to purchase the Cadillac for everything since so many departments will need access to the tool. It's far too complicated to create an RFP that takes into account everyone's needs. To speed access to the tool these large companies just get the product that "does everything" and then let all the departments "have at it" once it's available for use.