Ask vendors the questions that matter.

This gives the vendor an opportunity to describe their research into cybersecurity. From this one can glean an understanding of how active their research programs are.

Many vendors and government agencies share IOC and threat information. Some also actively publish discovered threat information as soon as they discover it, for the betterment of the community. Vendors that are active in this way demonstrate cybersecurity innovation leadership.

Large vendors will have customers across most industries. Some smaller vendors may focus on specific industries, such as aerospace, pharmaceuticals, health care, finance, etc. In some circumstances, vendors with industry-specific experience and focus may provide more value.

Does your solution use machine learning? If so, which types: supervised, unsupervised, deep learning, etc.? Does your solution use machine learning to automate parts of the PAM process, for example, analytics and password management?

Some PAM vendors are now developing special modules that provide privileged access to specific departments such as DevOps or CI/CD that rely on rapid and changing access to privileged accounts.

Does the PAM solution integrate and/or interoperate with tools such as vulnerability management or incident management tools. Consider how PAM may integrate with other business IT tools such as ITSM, GRC and IGSA tools

Some vendors now offer cloud-based management consoles. The main advantage to this approach is that the vendor handles the upkeep of the console. Some organizations still prefer to operate the console on-premises, due to security concerns.

Currently, most PAM solutions rely on passwords that are stored in an encrypted vault to automate access to privileged accounts. However, password have limitations especially when associated with shared accounts and some vendors are now offering passwordless and vaultless access using certificates and other ephemeral credentials.

What features are on the vendors’ roadmaps? If the PAM solution under consideration does not currently contain all the services and capabilities you need, find out how far down the line those may be offered, if at all. Are there plans for mergers or buyouts? Companies with incomplete products but with advanced features are sometimes looking to be acquired by larger vendors, whose own products need such innovation. Establish as far as you can that you will not be left with an unsupported product.

Finally, it is usually enlightening to speak to one or more reference customers. It is most helpful when the reference customer is in a similar industry and region.