Meet the Bloggers

Vaune Carr, Principal Consultant, BT Global Services

Rob Jamison, Manager, Network Intelligence, Managed Security Solutions Group, BT Global Services

Jill Knesek, Chief Security Officer, BT Global Services

Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

Ben Rothke, Senior Security Consultant, BT Global Services

Pete Russo, Senior Marketing Manager, BT Global Services

Bruce Schneier, Chief Security Technology Officer, BT Global Services

Ray Stanton, Global Head of BT’s Business Continuity, Security & Governance Customer Capability Unit

Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

Twitter Blogroll About BT

SecureThinking > Tags

Posts tagged cybersecurity challenges

Tuesday, September 8, 2009

Open Letter to Security Industry Leaders

Dear Chief Security Officer and Security Industry Leader,

I know you don’t need me to tell me that the job you have in front of you is a tough one.  Even before the economic downturn increased the likelihood of attacks on your network, and your customers’ personal information, you faced a tall order: to articulate the value that your team brings to your organization.  After all, if you were successful at your job your network was robust and resilient.  But now, as your entire organization charts its way through the remainder of this economic maelstrom, you’re trying to make it all work with smaller budgets, fewer team members, and without the luxury of frequent technology refreshes.

While it’s tempting to throw up your hands and focus on tactical responses, there are some key issues that, as an industry, security vendors should be discussing with you to make your jobs less daunting.  Most are what I like to call “security truths” – things that we know should be addressed, yet which we sweep under the rug to think about another day.

I believe today is the day for us to take these items out from under the rug and address them head on.  What do you say?

Security Truth #1 – Decipher the Jargon

Most of us in the industry rely on jargon to make ourselves sound more authentic.  We use big words and talk the big talk, but in the end, how do you know what we really know, what really makes different, and what makes us, or some other company, the right vendor for you?

The bottom line is: you shouldn’t assess how much you trust a security product or service based on an RFP response alone.  Your trust and confidence that they will support you during ambiguous problems, without hiding behind contracts and formality, is a far better indicator how flexibly they will support your objectives.

Yes, it is true; in the end, most vendors will sound similar, and will be willing to commit technical resources to fill gaps you identify as priority requirements.  While the mechanics of those points will certainly vary, the answers to an RFP questions will rarely, if ever, tell you if this is the company you should work with.

In the end, that trust and confidence translates into how readily your vendor will make exceptions to its own processes and billing caps, because the vendor is doing their own calculation internally on whether they can absorb the cost of that exception on the longer-term value of your business.  Working with a vendor where you are one of their bigger accounts (but not necessarily their biggest) should give you the right mindshare.

Security Truth #2 – Stop Running Fool’s Errands

Assigning blame for a network security breach or zero day attack is a fool’s errand.  It’s human nature to want to blame someone or something for an incident.  But let’s be real:  most security incidents are a result of complexity in products, environments, staff knowledge, and a whole variety of other issues.

There will certainly be situations where an individual makes a brazen mistake and should have known better.  Vulnerabilities where patches were released years ago, yet never installed; temporary firewall changes which aren’t undone; unauthorized new servers added to the network – these are pretty straightforward high-risk activities, and every one is a likely front door to an attack.  Most finger-pointing energies should be channeled towards looking within, at policy, and, more importantly how policy is instituted, executed and enforced because the majority of security policies are far too vague and ambiguous.

Want some clarity?  It will take a bit of work, but it’s not too painful.   First of all the security lead needs to categorize what kind of security organization he or she is running inside the company.  For example, do you define strategy at an executive level, or are you adjunct to conventional IT?  Do you participate in signoff for business initiatives?  Do you control budget for projects in the planning stage, or are you simply told what your slice will be after someone else finalizes the architecture?

Ultimately these sorts of questions drive how much authority you can write into your policy and enforce.   In turn, this will impact whether you can demand certain end-user behavior or if, instead, you need to co-opt other groups (such as HR) into supporting your policy roll-out. 

Security Truth #3 – Monetary Cost is Only One Consideration

Like any other act requiring a purchase order buying a security product or service is typically presented as a matter of dollars and cents.   But is this an accurate representation of its real cost?  I am of the opinion that security purchases should not be presented solely in terms of the technology cost and that incremental demand on staff cycles, from annual vendor training to increased log analysis, be incorporated into a technology purchase’s true cost to the business.

We often encounter customers who have essentially lost track of their network architecture.  This is all but inevitable when you grow by acquisition, or in response to individual projects.  But it is that very complexity, and corresponding lack of adequate controls, which creates opportunities for product vendors looking to fill the gaps.  Buying a product to fix a problem, without exploring whether existing assets or a revised control could achieve similar goals, places a big burden on your staff.

The costs are soft, but they add up quickly.  You need to account for extra recurring time in maintaining the new product, but you also need to anticipate that it will probably impact existing tools as well.  It will require acceptance testing to document how it adds to your policy controls.  It will need space in your data center.

These costs are all perfectly fine if you can point to a specific control or policy statement which is currently underserved.  But it will always be preferable to leverage your existing tools, and the expertise your staff already have, whenever possible.

Now, perhaps none of these ‘security truths’ apply to your organization, or perhaps you recognize your organization in each one.  Whatever your specific situation I hope they provide some points for consideration as you structure your organization to meet the challenges of a recovering business and economic climate.

I look forward to engaging with you to find out what daily issues are causing you most concern and sharing what we see and have learned from being on the other side of the table.   Why not leave a comment below or send a tweet to @SecureThinking!

Cheers,

Jeff

Jeff Schmidt

Vice President and General Manager, Managed Security Solutions Group, BT Global Services

Posted at 1:43 AM in SecureStrategies | No Comments »
Tags: , , , ,

Bookmark and Share

subscribe - log in