Untitled Document
 
Saturday, July 04, 2009
 You are here: Admin Tools * RSS Feed   Search
CISO/CSO Security- How Security Vendors Are Impacting the Security Industry

Practical Security Solutions

By Ron Collette, CISSP & Mike Gentile, CISSP

ron@cisohandbook.com, mike@cisohandbook.com

 

 

We don’t need to tell you that security is a big, complicated monster of a subject…but we just did. The truth of the matter is that this simple fact is often obscured by the countless security product vendors that populate our industry. This article is a brief tour of the practices and the resulting damage that many product vendors inflict on the security industry.  We don’t want to condemn all vendors, but it is prevalent enough to warrant our rant. If you are a member of the vendor community, please read this article and try avoid the use of these practices.  Let’s get started.

 

There are a number of issues and practices that are practiced by the the vendor community for security products. The first and most despicable is the tiring use of the FUD-Factor. We’re not talking about Elmer, rather the sales models employed by vendors in this space: (F)ear, (U)ncertainty, and (D)oubt.

 

This tactic preys on the ignorant, promising a solution to a problem that is either misunderstood or may not even exist.  Shame on you Mr. Vendor!  For the non-vendors reading this article, imagine the poor CFO attempting to separate fact from fiction regarding the myriad of available tools and claims. This person is likely ill-prepared for such a task; after all their background is accounting not risk management. What is the result of this tactic?

 

This approach often causes organizations to overlook the “root-cause” of an issue; instead focusing on the tool that addresses the symptoms.  A tool that claims it will solve every problem from bad food in the cafeteria to world peace. This re-focusing has negative ramifications that directly impact the success of a struggling security professional; the reliance on tools promotes an attitude of reactive behavior.

 

Reactive behavior in the security world is deadly. Just ask the folks at the Marriott hotels. Good security requires a balance of proactive, change control, and reactive behavior. Whether you realize it or not, tool reliance generally changes the emphasis of the security program heavily towards a reactive stance. Your inventory of tools is capable of performing a fixed number of functions.  If you believe that this represents the universe of potential risk, anything occurring outside of that universe causes a reaction. The other danger of focusing on a tool is that they can create a false sense of security.

 

Read any marketing brochure and you find the implication that the advertised tool will solve all of your problems.  If you are foolish enough to fall into this trap, the resulting complacency and dependency will limit any real strides in reducing the risk.  Don’t get us wrong, there is a time and place for security tools.  But don’t forget that they are NOT the security program.  This leads to an interesting and important conclusion: Most Security Vendors, Don’t Understand Security.

 

We don’t mean to imply that they don’t understand their niche. Quite the contrary, they are usually experts in their specific areas of security.  But as we stated at the beginning of this article, Security is BIG. It touches everything in an organization and as a result has a number of inter-related components which no single tool can address.

 

In order to get a balanced perspective on security, it needs to factor in People, Process, Technology, and Facilities. Security vendors, for the most part, only address the technology. However, you would never be able to determine that from the marketing literature; leading to the final point: the disinformation campaign.

 

Security product vendors do not intentionally misinform their perspective clients. They merely leverage and exploit facts that support the selection of their products.  Go to the Internet and try and determine how many web sites are dedicated to providing independent evaluations of products.  Why?  Because the information provided by the vendors is skewed. This fact is immaterial if you are a seasoned security professional who expects it, but not if you’re someone whose primary discipline is not security; remember the poor CFO. 

 

Please don’t misunderstand us. We don’t mean to imply that all vendors are evil. Quite the contrary, product vendors can be a terrific compliment to a thorough security strategy for an organization. You just need to know how to manage them and separate fact from fiction.  Let’s review some warning signs that should make you skeptical.

Warning Signs

·         A phone call from a vendor asking “If your company plans any new security projects this year?”

·         Is the reputation of the company founders based on security expertise or product development?

·         Marketing brochures that seem too good to be true….they probably are.

·         Over-simplification of security issues. Limiting the problem to a technology issue.

·         Necessary functionality is promised in the next product release….call me when you have the next release!

·         Scripted answers that don’t address the original question.

How to Maximize the Use of Security Product Vendors

Don’t let the vendor define your problems for you. Understand the real issue that your organization needs to address.  In many cases, vendors will zero-in on a specific set of symptoms that their product addresses brilliantly, but the enterprise is left solving the core issue.  The means by which you can control this is through the use of requirements.

 

Like any good project, product selection should be driven by requirements. This will aid in ensuring that the selection of a solution addresses the true need of the organization.  This process will also solidify the purpose of the product providing a “Bozo” filter against misinformation. Lastly, documented requirements will aid in the quantification of the problem and provide political gravity to support the purchase. Once the requirements have been captured, you may begin the vendor selection process.

 

A repeatable vendor selection process is the key to managing your vendors.  If you don’t have a process, create one. It will provide a fair, objective, and efficient means of evaluating and selecting the right product and vendor for your organization.  Lastly, don’t forget the supporting processes and procedures.

 

Too often, we see that organizations purchase products without understanding the processes and procedures necessary to implement, change, and support them correctly. We have actually seen organizations that have purchased complete multi-million dollar licenses for products only to leave them in shrink-wrap boxes collecting dust when they realized the effort necessary to implement them. 

 

In closing, we want to again mention that there are good technology vendors out there and they provide valuable services if used properly. Just remember their objective is to sell product, your objective is to manage the risk profile for your organization. 


Posted on Saturday, January 07, 2006 (Archive on August 14, 2006)
Posted by CISOHandbook.com
Return
  
 
 
 
   Privacy Statement  |  Terms Of Use
Copyright (c) 2009 CISO/CSO Handbook