Splunk Enterprise Security Reviews

The solution is primarily for security incident investigation. Whenever a customer wants to monitor the environment for any security incident or events that are occurring, and they want to analyze the incident when virtual issues happen, that's when we propose Splunk. Otherwise, it's difficult to understand what kind of security event is arising in the environment.

The primary feature that is the most valuable is the correlation feature, which helps you analyze the data. If there's a lot of telemetry data at some point, Splunk can take advantage of it. It can handle a large volume of data. 

Now, with big data, AI, and all those things, the amount of security data that is generated is too high. Generally, the other SIMs face trouble when handling big data. However, Splunk itself is a very strong solution for handling lots of data. It helps the SOC team analyze data very well, and it does not crash on handling a large amount. That's a key benefit.

Our customers usually monitor multiple cloud environments. It's not very difficult. There are two ways we use Splunk. One is that they can be multiple cloud environments. The second is that it can be an on-prem and a cloud environment. We are mapping it to our one solution. 

Splunk is very flexible and it's integratable with other solutions

If you want to understand how it can analyze or find out incidents, the visibility is good. The best visibility would always be in the on-prem environment. Then, the cloud, since Splunk is not a native cloud solution like Microsoft's Sentinel, is used. We don't see a lot of challenges if we do a hybrid kind of setup, however.

I'd assess Splunk's insider threat detection capabilities to help find unknown threats or anomalous user behavior at an eight out of ten. Splunk itself uses another agent or another module to do it. Splunk does the job. It's not that it will not do the job; however, it will require more refining than other solutions in the market.

My team uses the Splunk Mission Control, topology, and attach framework features, which are really helpful. We've used it for multiple customers. We take their existing SOC or detection use cases and try to map them to the framework. From a security point of view, it obviously makes a solution more superior. With Splunk, you can catch more security incidents. From a best practice standpoint also, it is a good thing as we can configure the solution, and, according to that configuration, the entire performance is better in terms of security. 

It's very useful for assessing malicious activities or detecting breaches. It's a robust solution. 

We've been able to help customers detect threats faster. It might be 5% to 10% faster in some cases. And since we can analyze large volumes of data, we're not missing any particular data point or data set. That gives us an advantage.

Splunk helps reduce alert volume. You can reduce your alert volume based on your configuration, and it's highly customizable, so it can help you reduce alerts by a lot. It's helped us improve the quality of incidents we receive. 

It's helping customers speed up security investigations somewhat.

It improves the resilience of a company thanks to its ability to quickly analyze data.  

While it's costlier than other solutions, it's highly stable. 

The security orchestration response requires a bit of improvement. 

We'd like to see a more seamless cloud-based integration.

Their mobile features for iOS and Android could be improved in terms of quality of performance. 

I've been using the solution for three and a half years. 

It's a highly stable product even for large customers with diverse environments. For companies that have huge amounts of data even, it does not crash. It's the preferred option when a lot of data is involved. It offers good resilience and improves performance. 

I'd rate the scalability seven out of ten since it is not cloud-native.

Technical support is good. We purchase premium support services.

Positive

I was not involved in the initial setup of the solution. 

The solution is deployed wherever your appliance is. You deploy it where your software team wants to monitor from. Typically, that's headquarters or a company's security center. Splunk then has agents that help devices connect across geographies. For example, while Splunk may be primarily in the UK, it can cover devices via agents across Europe, and the agents can monitor other environments.

We have between two to five people who handle maintenance activities, depending on the client. 

There is a threat intelligence management feature. However, customers don't use it in our case. Typically, customers want something superior in that nature.

Price is a major concern for most customers, big or small. However, price should not be the determining factor when seeking a solution. Users need to think about performance and quality. They need something that will help them prevent security incidents, and they need a product that will be stable. If you can monitor your environment better, you can prevent incidents that may lead to financial loss - and when incidents happen, companies can spend far more dealing with an extended phishing attack than they would on a service like Splunk that will protect them effectively. When it comes to security, while it's not necessary to have the most expensive solution on the market, you should at least seek out a solution that's best suited to your company and its needs.

I'd rate the solution eight out of ten. It's a great option for enterprise-level companies. However, a smaller customer with a smaller budget may not be a good match. They may not need such a powerful solution in any case. That said, if a customer is about to grow a lot, I might suggest Splunk as a primary option. I'd advise potential users to look at the environment size and complexity, consider the budget, and then decide if Splunk makes sense. 

Splunk Enterprise Security is used for security monitoring. It helps manage the governance of the security monitoring from the start of an incident to the resolution.

Splunk Enterprise Security offers excellent visibility across multiple environments. It's a flexible platform with virtually no limitations.

The actionable intelligence provided by the threat intelligence management feature is good.

Splunk Enterprise Security does a good job analyzing malicious activities and detecting breaches.

Splunk Enterprise Security helps us detect threats much faster than before.

Depending on the client and their configuration, Splunk Enterprise Security can help reduce their alert volume by under 50 percent.

Splunk Enterprise Security helps our clients expedite security investigations. It achieves this by streamlining the process of finding evidence and incident logs within Splunk's data module.

Splunk Enterprise Security offers two valuable features: the Common Information Model and arrangement modules. The CIM helps standardize data for efficient searches, while arrangement modules automate incident log processing by enriching them with contextual client information.

While Splunk offers SOAR as a separate product, integrating it into the next version of Splunk Enterprise Security as a unified solution would be beneficial.

I have been using Splunk Enterprise Security for 2 years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The technical support experience is moderate. It can take a long time to resolve issues, and I often need to explain the problem to multiple support representatives. Ideally, I would have a single point of contact assigned to my ticket throughout the entire process.

Neutral

The initial setup of Splunk Enterprise Security involves moderate complexity. Deployment time can vary significantly, ranging from one hour to one month, depending on the environment's complexity.

Splunk Enterprise Security is expensive.

I would rate Splunk Enterprise Security 7 out of 10.

I suggest integrating SOAR with Splunk Enterprise Security.

We use Splunk Enterprise Security to teach our students about security awareness in a more positive way. We can show them how these tools work and the benefits they bring. This will help them understand the importance of using Splunk Enterprise Security, not just for our clients, but for ourselves as well.

The Splunk dashboards are user-friendly.

I would rate Splunk's threat topology an eight out of ten. The threat topology provides a complete map so we can investigate security incidents quickly.

To effectively utilize Splunk for malicious activity analysis, a comprehensive understanding of the different event types and their functionalities is crucial. This involves examining specific events associated with potential malware, such as changes in system behavior. By gaining clear visibility into these events, we can identify the malware's goals within our environment and stop it.

Splunk helps us detect threats within three minutes.

We realized the benefits of Splunk within eight months. Splunk Enterprise Security helped secure our environment faster than other security solutions.

Splunk has helped reduce our alert volume.

The Splunk queries are valuable. There are a lot of query options available in Splunk compared to Sumo Logic.

It is difficult to monitor multiple cloud environments using Splunk.

I would like the ability to view logs for specific instances and not have to pull the logs for the entire Cloud environment in Splunk.

As the number of environments monitored by Splunk increases, the resource demands also grow, potentially slowing down the system.

Splunk's threat intelligence system gets a seven out of ten. There are frequent delays in updates, which can take up to three months for Splunk to make available.

I have been using Splunk Enterprise Security for one year.

I would rate the stability of Splunk Enterprise Security ten out of ten.

The resilience is good. I have not faced any issues.

I would rate the stability of Splunk Enterprise Security nine out of ten.

The technical support team is good.

Positive

The initial setup is straightforward. Splunk provides wonderful documentation to help with the deployment.

Splunk Enterprise Security is priced lower than competitors.

Splunk Enterprise Security is a good choice for startup companies because of the lower cost.

I would rate Splunk Enterprise Security nine out of ten.

Maintenance is required to address the false positive alerts.

I recommend Splunk Enterprise Security to others.

The primary focus of our work with Splunk is on security incident monitoring and security log monitoring. This involves utilizing it to analyze and respond to security events effectively. Additionally, compliance with regulatory requirements is another crucial aspect of your role. We also extend Splunk's functionality to custom applications by writing custom parsers and handling logs specific to those applications. This includes the development of unique dashboards tailored to the needs of each application.

Splunk's capabilities in insider threat detection are highly effective in assisting organizations in identifying unknown threats and anonymous user behavior. The sophistication of these features is notable, making them suitable and beneficial across a range of organizational sizes, from small businesses to large enterprises.

The threat topology and MITRE ATT&CK features are seamlessly integrated as complementary components within Azure.

It significantly accelerated security investigations, and I believe the improvement falls within the range of twenty to thirty percent.

The resilience provided by SIEM adds significant value; it is highly effective.

The most valuable features for us include its robust log management capabilities, which allow us to efficiently handle and retain logs for extended periods as needed. The flexibility to customize log retention periods is particularly beneficial. Additionally, we find the dashboard functionality and the advanced query language options to be highly valuable. These features, especially the powerful query language, are extensively utilized in our day-to-day operations.

I find that the learning curve for Splunk is relatively lengthy. To utilize it effectively, one needs a substantial amount of time for learning. I might appreciate a learning curve that comes with more out-of-the-box functionality, such as easily installable Splunk apps or user-friendly features.

I have been working with it for three years.

I find it to be highly stable, and I would rate it a solid ten out of ten.

I would rate its scalability capabilities ten out of ten.

Before using Splunk, I relied on the built-in tools of Linux operating systems, such as Syslog NG, but specifically the open-source versions. I haven't had experience with the commercial version of Syslog NG, which is a more advanced tool. In this category, Splunk is essentially my first exposure to such advanced features.

Setting up Splunk is quite straightforward, especially for basic configurations. The process is not overly complicated. While a cluster implementation may require more advanced steps, the basic setup is generally easy to handle.

I handled the deployment independently, but the required personnel depends on the organization's size and the expected outcomes. For larger organizations, especially when the new tool integrates with various departments like operations, development, and security, it becomes a collaborative effort. In such cases, it's not a one-person job and involvement from multiple departments is essential. However, for smaller companies, the process is less complicated. It involves coordinating with support and developer teams to communicate the implementation, and the focus is on providing the necessary outputs from the tool to support their ongoing work effectively.

I utilized it in a single, non-geographically dispersed location. My experience is limited to a single site, and I haven't worked on a multi-site installation.

While it can run stably for a certain period, eventually, there is a need to manage or archive logs, especially if your background storage is not unlimited, as is often the case in these scenarios.

The return on investment is quite favorable with Splunk, particularly for large enterprises that have made the initial purchase and possess the requisite expertise and technical support.

In terms of pricing, I believe Splunk is unreasonably costly for the majority of mid and small-sized companies. Its real advantages, or what sets it apart, seem to be more suitable for large enterprises.

For the market I focus on, which includes small to medium-sized companies, I would recommend Wazuh. It's an open-source security information and event management solution. The main consideration is that, in terms of both functionality and cost, Wazuh is sufficient for the requirements of smaller enterprises. Utilizing an open-source tool like Wazuh can effectively cover the necessary areas without the need for the higher costs associated with Splunk.

I would recommend that anyone considering implementing Splunk should first thoroughly assess their environment. It's crucial to determine whether Splunk is genuinely needed for your specific usage scenario or if a smaller software solution might suffice. Overall, I would rate it nine out of ten.

The visibility that it provides is awesome. You can connect it to whatever you want and create whatever visibility you want. 

Its insider threat detection capabilities for helping our organization find unknown threats and anomalous user behavior are great. They have a lot of built-in capabilities for analytics, and they can provide a lot of visualizations and insights into whatever is being brought into it. The threat intelligence that is part of the platform itself is awesome.

In terms of actionable intelligence, it depends on what you bring to the table. The platform itself gives you the capability to make threat intelligence actionable, but if your feed is not good, it is of no use. There is a lot of noise within the SIEM. This is not on Splunk. This is on the SIEM, but Splunk does help to eliminate a bit of the noise and create a more cohesive view of the intelligence you digest.

Splunk is very good for analyzing malicious activities and detecting breaches. Its ability to connect things that are manually hard to connect is awesome. It is a bit lacking when you compare it to Microsoft Sentinel because Microsoft Sentinel already brought the SOAR solution, which in the case of Splunk comes at an additional cost. When I used it, they did have it quite expensive, but as a SIEM, if you compare Splunk to other SIEMs, it provides you with a great ability to detect and understand that you have something that is suspicious and anomalous within your network. Its ability to connect us to that otherwise cannot be connected by humans is very good.

It helps to detect threats faster, but I do not have the metrics. When it comes to reducing the alert volume, it is not Splunk. It is more of the analyst's work on top of Splunk.

Splunk definitely helps speed up our security investigations. It has the ability to connect and bring information with the click of a button. 

I have used Threat Topology and MITRE ATT&CK framework. It was very good for management but not so much for analysts' day-to-day work. It is a cool feature that helps you bring money from management, but it is not something that an analyst will use on a day-to-day basis.

The ability to digest any information and then correlate it in accordance with what you need is valuable. The ability to connect to pretty much everything and bring the information in the same format is also valuable. On top of that, we can use their language in order to create and customize the dashboards, correlations, or analytics that we want to incorporate. They also have a lot of out-of-the-box correlation that we can use, which is awesome.

They can incorporate the SOAR solution within the actual product so that we do not require two different products, two different installations, and two different pricing methods. In regards to UBA, I am familiar with the UBA that existed two years ago. I am not updated about it today, but two years ago, UBA required such an amount of data that from a cost perspective, it was not worth it. When you compare it to what you get out of the box with Microsoft Sentinel without additional costs, there is no match. 

I have been working with it for the past five or six years. 

It is very stable. I did not have any crashes or malfunctions. It does have a bit of a stretching point when you are doing a very large query or you are retrieving a lot of data. For example, when you are retrieving months of logs in order to conduct an investigation. However, that is at the edge of the product. On a day-to-day basis, it is very stable. It does everything that you need to do. We did not have any crashes in either of our implementations. We did not have anything major.

In the on-prem environment, it is scalable, but it requires work because you need to install indexes and forwarders. It requires more work from someone who is specialized in that domain, but in the cloud environment, it is super easy. It is very scalable. You can just grow as you need.

Their support is awesome. I would rate them a ten out of ten. It is not just the technical support. Their documentation is also good. The whole support system is awesome.

Positive

I used it in my last organization. In my current organization, we have adopted Microsoft Sentinel. I am creating a new managed service company, so it is going to provide service to multiple clients. We have multi-tenancy and full cloud environments and monitoring of on-prem solutions. When I implemented Splunk, it was not used for multi-tenancy. Their multi-tenancy was not that great. It was the old solution, but they now have the cloud environment that is more supportive of multi-tenancy, but with their on-prem solution, for multi-tenancy, we could just play with permissions. It was not the best. It was not proper multi-tenancy where you need different databases and different control planes. It was not the ideal solution, but now they have the cloud environment.

The experience that I had a few years ago was for on-prem, but now, I do have an implementation that is cloud-based. We are implementing it cloud-based for one of our customers. It is deployed on AWS.

The initial deployment is very fast. It is very quick. The on-prem can take a few days, and it is up and running. If it is on the cloud, it is already installed. You only need to connect all the source logs. The duration depends on the number of source logs. It differs. I had a project where I connected all my source logs in one week, and I had a project that took about four months, but the number of logs was different. The complexity was different. We had to create our own connectors and our own parsers.

The pricing is very complicated, and it is very pricey. You do require a lot of different licenses in order to get a comprehensive solution that is not just the SIEM solution.

To someone who is evaluating SIEM solutions but wants to go with the cheapest solution, I would recommend QRadar.

Overall, I would rate Splunk Enterprise Security an eight out of ten. There are several reasons for not rating it a nine or a ten because the pricing is very complicated, and it does require someone who is knowledgeable in the platform. You need someone who is specialized in that. Fortunately, I have these people, but when I tried to look for one in the beginning, it was not an easy job to find someone who was very skilled in this platform. Once you have such a person, it is awesome. You can do whatever you want. The sky is the limit. In fact, not even the sky is the limit. It does provide a very comprehensive solution. It does provide tons of flexibility. It is the platform that you should go for when you need something that is not ordinary or not your typical SIEM solution for a typical organization. It is the platform when you need something that will provide more. For example, one of the projects that I worked on was related to a SOC that needed to digest information from multiple organizations that already digest information, and we had to create cohesive use of that. In such a case, this is the platform to work with because it provides the flexibility that no one else provides.

We primarily use the solution for SOC purposes.

The solution has made it possible to check and detect our traffic a bit better.

The incident review is great for working inside of a SOC if we want to see everything and we want to configure notables and have all notable features, it's useful. We're moving to SOAR right now for configuration for our work center. As far as ES in our work center, just detecting our notables and monitoring all our traffic, is the most important feature as far as what our day-to-day is concerned. 

Splunk has helped us with mean time to respond, although I don't have exact numbers.

Splunk has helped improve our company's resilience level.

Splunk is very good at predicting, identifying, and solving problems in real time. I've never used anything else, however, I'm impressed with the ease of it and the ability to find anything and everything we need. 

I do a lot of the maintenance. A lot of my workers are fresh into Linux and need to monitor, manage, and do maintenance on it. They should bring back the maintenance mode button. Splunk used to have it and they took that feature away.

The upgrading process could be smoother. 

I've used the solution for about a year.

The stability and availability of Splunk are great. It does get weird when we initially update items, however. That's the only time we see issues. It may try to input data in areas it doesn't need to. That said, we are aware of the quirks of the setup. 

Scaling is easy if you have done it a couple of times. 

The environment I have has multiple servers. We might have around 100 servers. 

Splunk support is very communicative about our concerns. That said, the answers I've gotten back don't make sense. I'm not sure if they communicated our issue in the right way or if they misunderstood, however, they did not correctly address our issue. In the end, we do have a good dialogue. I now expect that they will misunderstand the problem on the first round and we have to go back and forth. The effort is there to try to understand. 

Neutral

The company may have had QRadar for a while before Splunk. I wasn't around when they switched to Splunk so I cannot compare the two. 

I was not involved in the initial deployment of Splunk. 

The company has witnessed an ROI in terms of the amount of time saved via being able to tweak our searches. The docs are great. They help tremendously in filling knowledge gaps. The ROI is solid. 

I don't deal with pricing or licensing. 

I've only worked with Splunk as far as data ingestion. 

The solution does take a bit of understanding. It does need improvements in some areas. I'd rate the solution seven out of ten. 

Our SOC uses the solution to monitor our corporate and franchise environments.

Risk-based alerting is the most valuable feature. It really allows me to drive down the alert count and the alert fatigue for my analysts to make the alerts they see more valuable and actionable. The way that alerts are handled is better in Splunk. SPL is easier in Splunk. The UI of Splunk makes it easier for our analysts to move around and see what they need to see.

There are a lot of areas that are currently being improved that I want to be improved. Features related to content management must be improved. The product is adding more drill-downs.

When the tool was originally set up, things were not configured properly due to the rapid deadlines for installing everything. Now, we have to go back and recover a lot of things that aren't properly configured.

I have been using the solution for approximately four years.

I haven't seen any issues with stability. Most of the stability issues I've seen have actually been on the on-prem hardware.

We have no issues at all with scalability. The tool has high scalability and usability. The size of our environment is relatively large since it is an enterprise solution. We have around 5000 users and a franchise base.

I have never had an issue with Splunk’s support team. Every time I ask a question, I usually receive really quick responses. We are in the middle of a migration, and the engineers helping us migrate to Splunk Cloud have been fantastic every step of the way. They provide really rapid and complete answers when we ask questions.

Positive

I use LogRhythm a lot. I worked for an MSSP, so I have seen several products. So far, Splunk has been my favorite.

We have definitely seen an ROI on the solution. Any security tool has a fantastic ROI. A lot of companies don't like to budget for security until there's an incident or something goes terribly, terribly wrong. Just having that SIEM and having eyes on potential security issues is an ROI.

We are behind a few versions. So I hope that as we upgrade, I get more ideas for what I'd like to improve. We're still in the process of moving to the cloud.

The product has improved our organization's business resilience. The right tools are available to our analysts within the product, and we use them daily. It has drastically driven down our time to remediate, which is huge for us. It's huge for any company. We don't want four hours to find out that something has gone terribly, terribly wrong. Finding such issues before they turn into full-blown security incidents has been our biggest impact.

Splunk Enterprise Security empowers our staff. It is so user-friendly. It allows our analysts at every level to learn the tool and learn more about security through the tool. I progressed from level one. Now, I'm a content developer for enterprise security. The usability of Splunk is the best on the market. The solution has helped reduce our mean time to resolve.

As we add new features and applications into Splunk, time to value is pretty quick on most things. As long as we have someone that's willing to go through the effort to configure, the time to value is rapid. Adding applications to Splunk is a seamless experience. The UI of Splunk makes life so much easier. Some of my experience is based on technical debt in the organizations I worked with. I would probably rate the tool a ten if we didn't have so much technical debt.

By attending Splunk conferences, I get to learn about all the new tools and how to implement them. I use it for RBA and Machine Learning Toolkit. I develop content for our company. I am here to learn how to implement RBA and Machine Learning Toolkit better to reduce alert fatigue for my analysts.

Overall, I rate the product an eight out of ten.

Our customers utilize Splunk Enterprise Security for either their cybersecurity program or their data warehouse program.

Splunk Enterprise Security's threat detection capabilities are effective in assisting organizations to uncover unknown threats and identify anonymous user behavior. However, this effectiveness is dependent on using the UBA modules and having the proper infrastructure in place.

MITRE ATT&CK is the framework that we use to detect and track well-known threats. When there are well-known threats, we can utilize the MITRE ATT&CK to identify any anomalies.

Splunk Enterprise Security has its own routine and process defined for analyzing malicious activities and detecting breaches. Mainly, we baseline the client's business process and day-to-day activity and then use it to detect malicious activity through various scenarios.

Splunk Enterprise Security assists us in detecting threats more quickly. We have an abundance of unrelated and meaningless data from the raw logs, and the solution aids us in organizing and correlating this data so that we can extract meaningful events and take appropriate action. This is the primary objective for the majority of our clients. 

In most cases, we provide monitoring and intelligence to our customers based on how they use the solution. This allows other technical teams, such as PC, system support, and other tech units, to take appropriate actions. Our main role is to provide them with alerts and use case scenarios, while the detection and actions are primarily related to other aspects.

When we initially implement Splunk Enterprise Security, there are many alerts and false positives. However, with time, we are able to align our configuration with the client's requirements and do more baselining, reducing such issues.

Splunk Enterprise Security helps to expedite security investigations. Without a security solution, our security team is unable to identify threats because the log and auditing data are unrelated and uncategorized. Consequently, we cannot access them promptly. Therefore, having a solution like Splunk Enterprise Security is crucial for our cybersecurity program. For certain clients' needs, we prefer using open-source applications like ELK and ESK. However, if they opt for an enterprise and commercial product, Splunk is among the top three choices.

The most valuable feature is the DSS, also known as SPL, because it allows users to script advanced queries with limited knowledge.

The CIM model is the method Splunk uses to normalize data and categorize its important parts, but it is quite complex. Simplifying this process would assist security officers in assessing threats and using the system more efficiently.

I would appreciate it if Splunk could add the feature of importing and exporting from web servers and third-party devices during project and process development. This addition would greatly enhance the value of the solution making the maintenance for the security officer easier. 

I have been using Splunk Enterprise Security for six years.

I rate the stability of Splunk Enterprise Security an eight out of ten.

Splunk Enterprise Security can be easily scaled once it has been installed and deployed.

Cyber threat levels are increasing every day, especially during the pandemic when most employees needed remote access to their business services. As a result, many organizations experienced a surge in attacks and required a resilient SIEM and cybersecurity solution.

I have used ELK, ESK, QRadar, Graylog, and LogRhythm in the past. One of Splunk's strengths over its competitors is its dedicated DSS called SPL.

The drawback of Splunk Enterprise Security is that upon initial installation, we need to do a lot of customization in order to have an effective cybersecurity program and deliver quality service to the client.

The initial setup is straightforward, but we need to make some configurations afterward that can be a bit complex. The deployment time depends on the size, but it usually takes several months to ensure stability and requires two SIEM engineers.

Splunk Enterprise Security is hardly affordable for most of our clients, causing many of them to resort to using open source solutions instead.

In addition to the licensing fee, there is also a support and maintenance charge.

I would rate Splunk Enterprise Security an eight out of ten due to its high total cost of ownership, difficulties in maintenance, and the complexity of configuration immediately after deployment. 

Splunk Enterprise Security may not be cost-effective for small and even some medium-sized companies. While each organization has different requirements, we do recommend Splunk for medium and large organizations.

Organizations should take into account the complexity of their environment. For instance, if they have a purely vendor-based environment for their network security appliance, it may be easier for them to handle security, fabric, and architecture requirements. However, if they operate in a multi-vendor and mixed environment, they need to conduct more research on how to integrate various components. Often, they rush into negotiating their cybersecurity program without sufficient research, leading to potential problems for clients.