Don't let fear drive your IT security purchasing decisions

Looking at the technology products offered by today’s vendors, the marketing hype suggests they have the silver bullet that can kill the lycanthropic threat that haunts the waking nightmare of the digital age.

International author and speaker Bruce Schneier summed it up best at last week's AISA conference when he said "no single product or technology will fully protect you".

Instead, security teams need to find the right balance and trade-off between people, process and technology, layered onto the security management paradigm of protect, detect and respond.

But often the fear response is dominant when customers come to purchase security technology products and services, overriding any form of systemic analysis they would apply to solving other business problems.

“The way you talk about something fundamentally changes the way you evaluate risk. The context in which you judge something also determines how you interpret it," Dr Ian Levy, technical director of the UK’s new National Cyber Security Centre, told the conference.

"So if you’re told that cyber security attacks are purported by winged ninja cyber monkeys who sit in a foreign country who can compromise your machine just by thinking about it you’re going to have a fear response. And that’s where we are today. "

His analogies might sound whimsical, but they contain a serious message. The reality is that the threat environment is fairly well understood and in most cases attacks are nowhere near as sophisticated as vendors proclaim.

Technology companies need to temper their over-marketing and instead explain which security problems they actually help to solve. It’s way too easy to end up bogged down in a security quagmire, and when you only have $500,000 to spend, how can you decide which of the 150 products to purchase to best shore up your defences?

Plus, according to Schneier, harm can actually be reduced by showing people what to do if they get hacked, without the need to introduce any new technology.

By focusing on the people and process aspects of cyber defences, it’s possible to build an educated workforce that knows what to do and how to do it when something bad happens.

I sense a shift is coming. People are becoming tired of the hype, and weary from the continual threat.

One way to address the problem is to stop giving vendors air time as "experts" when another company or government department is hacked.

Instead, let's look to independent experts to provide accurate and non-emotive facts. We can bring the vendors back in once they've toned down the hype, cut out the fantasy, and are ready to assist customers in buying the right controls for their needs.