After over 35 years in technology, more than 20 of them in information security, I sometimes think I've seen everything. Then I get a wake-up call. This one has to do with how we buy security products and services.
I spent three months training to be a field engineer for Tektronix, way back in the dark ages after I left the Navy and to my utter, naïve, surprise we spent almost an entire week on "specsmanship." Loosely defined, that means learning the art of making your product appear to outperform all of its competition without directly lying about its capabilities.
If anything has changed in those 25 years since I attended that training, it's that now we lie and expect the customer to believe us. Sadly, it turns out that they often do. In the past month I have heard several credible accounts of "shootouts" between security vendors - from product vendors to managed security services providers - that turned on straight-out, down and dirty misrepresentation of material technical facts. How did this happen? The customer did not have the technical background to ask the hard questions and push until he or she was fully satisfied that the answer had been substantiated with facts, not hype.
What's a poor security manager to do? The life of a computer information security officer has become as much of a firefight as the life of a system administrator. There simply may be no time to stay current on attacks, viruses, security technologies, and the numerous other partridges in pear trees that impinge upon the CISO's daily life. Organizations are partially to blame here. The infosecurity department needs to be balanced in its skill sets, not a corporate afterthought. If the CISO specializes in policies and procedures, make very sure that there is a resident full-time security technology geek on the team. This is a person who eats, sleeps and drinks security technology in all its various forms: attacks, viruses, intrusion detection, log analysis, and on and on.
If you don't have or can't hire a balancing team member, contract one. There are plenty of good consulting firms that can provide you with the support you need, often at a depth you couldn't afford to hire. The point is that infosecurity is not, never has been, and never will be, one-dimensional. The infosec picture is complex. There is no one size fits all. There is no silver bullet or any other cliché you might be able to think of. You need defense in depth and you need security talent in depth, either internally or from a trusted security partner.
These are the folks who can help you plan and buy right, not succumb to vendor hype or outright lies. They can ask the hard questions and get the responses backed up with testimonials from trusted associates who operate on their level in their specialties. The old saw about fooling some of the people all of the time is certainly true here. It is a very bad idea to make security choices that may affect the integrity and competitive position of your organization on a wing and a prayer.
Those of us who make our livings deep in the guts of security technology often shake our heads and ask, "How could XYZ Company ever have believed that provider? They're schlockmeisters!" But it happens every day. Organizations that have little or no technical superiority win over and over again until they dominate the market, while smaller, better skilled competitors can't out-market the big dudes before these smaller guys go out of business.
It is one of Stephenson's Axioms that there is no default connection between marketing superiority and technical superiority. Ask the hard questions. Get the help you need to ask and evaluate. Beef up your team to achieve a balance between various security skills. It ain't a panacea, folks, but it's way ahead of whatever's in second place!
Peter Stephenson is the director of technology services for QinetiQ Trusted Information Management, Inc. (www.qinetiq.com), and a regular columnist for SC Magazine.