How to lead your company through a security purchase

In previous columns I have repeatedly emphasized the importance of interoperability and the danger of security fragmentation.

Security is so fragmented that it is often hard to discern between hype and reality. Large security vendors try to draw you into a single-vendor closed integration package. Small vendors try to sell you the latest magic bullet, presenting what should be a feature as a whole new industry. Inevitably, you are left to cobble together disparate systems in order to get the depth of defense and layering of controls that you need. It is up to the security buyer to lead his or her company through the most effective and appropriate security purchase for the organization.

Here are some quick tips on how to be an effective “buyer” of security:

Related stories

SMB tech spending on the way up – IDC

State of the SMB: Contemplating the cloud, keeping the lights on

Never buy a single-purpose tool. Inspired by Alton Brown, who advises not to buy kitchen tools that are “uni-taskers” (e.g. a cherry pitter). Instead, make sure every tool or appliance you buy can be applied to different types of risk and attack. Widely applicable tools that are not specific to one threat will make a more effective toolbox and will provide deeper defenses and more overlapping layers of defense. Evaluate whether the tool or security solution covers:

•External and insider attacks

•Malicious and inadvertent incidents

•Know and unknown threats

•Automated and targeted attacks

• Heterogeneous OS and platforms (including mobile)

Avoid management feature overlap. You don’t need another reporting engine for compliance. You need the tool to integrate with your existing reporting engine. For each of the following areas you should think about building a multi-vendor, open-standards based, shared infrastructure. You should avoid replicating these functions in every tool:

•Logging and auditing

•User, group and role directory

•Policy management

• Alerting and notification

Focus on assets, not threats. A tool that protects any asset against one specific type of threat (e.g. guns, but not box cutters) is not as useful as a tool that protects one asset against any threat (e.g. reinforced flight-deck door).

If attackers can simply switch attack vectors, they will. If they have to switch targets you have disadvantaged them.

Mortar, not bricks. The part that makes a wall strong is the mortar, not the bricks. Disconnected bricks fall down with a slight nudge. Buy “glue” software and security solutions that tie together various controls, monitoring systems, notification systems, etc. A well-integrated system with fewer controls is better than lots of disparate controls with no glue.

Empower people. Security cannot be automated as much as you’d like. Human adversaries will always be smarter than automated tools and will leverage human ingenuity to skirt around your protections. You can’t replace well-trained security professionals exercising judgment with computers. So empower the people by giving them tools that multiply their impact and productivity, instead of trying to replace them.

Standards, standards, standards. Interoperability and “glue” infrastructure requires open APIs, open protocols, open formats and open standards. How do you know it’s really open and not just a committee endorsement of pseudo-standards? Look at how many different, potentially competing companies can interoperate using the standard. Ask the vendor: “Which of your competitors uses this?” If the answer is “none,” then it’s not a standard.

If all security buyers make slightly different choices, the industry will shift, dramatically and rapidly. There has never been a greater need for change in our industry.

Share on LinkedIn Share with Google+