It has become a widely accepted fact that the security landscape of today is so complex that using only traditional, perimeter-based defenses is no longer viable or effective. The increasing presence of mobile- and cloud-based applications, as well as the greater sophistication of the attackers themselves, is placing organizations in an extremely vulnerable state. This, as a result, presents a huge opportunity for organizations competing in the security space to pitch their wares. Given these opportunities, many in the industry are promoting their products as the best all-around solution in the market. However, in many cases, this simply is not accurate. Therefore, I wanted to take this time to offer my advice to prospective IT security customers and help the buyer beware.
Many of today’s vendors are taking advantage of the fact that due to the complexities of the threat landscape, customers don’t really know where their specific challenges lie. Thus, what many vendors are doing is trying to be all things to everybody. Some solutions are as simple as just plugging in another device, but really what they are doing is making general claims to prosper from the confusion of the masses. These claims are fueling the caveat emptor that I want to warn any potential buyer about.
As a customer, you have to be careful. Don’t be scared into thinking that you are going to lose time and money if you don’t deploy the latest and greatest solution. Look, instead, at how you can create a fully modular platform to proactively win and defend your environment. Loss is not inevitable if you have a plan. With the right people and assets in place, you can be faster than your adversary, but it begins with understanding your risks.
If you take one thing away from this, I hope it is this: good security starts with understanding your risks and how you want to govern them. It’s important that you don’t get caught up constantly investing in the new, shiny toy in the market. Whatever solution you deploy needs to be part of the bigger infrastructure of your organization. Ask yourself “am I just looking at a pretty marketing brochure, or is what this vendor selling me going to provide me legitimate context within my environment?” If the answer is no, caveat emptor.
RSA’s Executive Chairman Art Coviello often mentions that organizations need to be the hunter, not the hunted. In order to join the fight, you must have an infrastructure in place that provides you with visibility and actionable analysis that allows you to detect, respond, and ultimately stop cyber-attacks. As a rule of thumb, I would begin by gaining an understanding or your risk by working with the partner community, which is composed of organizations who have experience defining that risk. These organizations sell security technology across multiple vendors, so they know better than anyone what legitimate features and functions are available in each product in the market. Take advantage of their expertise to determine exactly where your issues lie and which solutions are the best fit. This is how you can successfully build and implement a comprehensive security strategy – whether that be managed in house or hosted through an MSS offering.
Once again, be cognizant of what’s happening in the market today and continue to ask yourself if what you are looking to purchase provides context within your entire security practice. If you aren’t sure, leverage a security reseller or advisory partner. P.T. Barnum famously said “there’s a sucker born every minute.” Don’t become one of these suckers by falling prey to the shiny new toy – that is caveat emptor at its finest.