Information security vendors seem to have all the right stuff. In the last few years, they have cropped up with solutions for seemingly every possible security need. Be it software, appliances or cloud-based services, they have just what you need to address all the threats and risks your business faces — at least that’s what their marketing and sales folks will tell you. From general regulatory compliance and risk management to more specific solutions for data leakage prevention, mobile encryption and malware obliteration — there’s no reason your information systems should not be completely secure, right? Not hardly.
Don’t jump on the bandwagon just yet. There are some signs that you are not ready to buy any new information security products — regardless of what the vendors promise. Here they are in no particular order:
1. Management runs the business in a vacuum and has no clue about information security.
2. An outsider has told a decision maker inside your business that all they need is a certain technology or two to be safe and secure without either person truly understanding the risks and what’s best for your specific business situation. It’s not hardly that simple.
3. Management believes that everything is locked down because they funded that firewall and anti-virus software purchase last year.
4. Management funded a high-level audit performed by a non-technical auditor with clipboard and a checklist where everything checked out A-OK.
5. You don’t truly know what it is that you are trying to protect and what you are trying to protect it from.
6. What you are trying to protect is worth less than what you will have to spend to protect it (both initially and ongoing). With all the regulations around personally-identifiable information these days, this one’s hard to refute, but I’ve still seen overly-fancy security controls guarding electronic information that’s not worth anything to anyone.
7. Users are trusted by management to do the right thing in every situation. After all, they had sparkling references and passed a background check when they were hired. No point in protecting them from themselves.
8. You have no formal security policies stating “this is how we do it here” that have been formally documented, approved by management and are supported and enforced by an IT governance/security committee. Otherwise, you simply have a wish list for information security and compliance that will never stand up against real risks — even if you have a bunch of fancy technical controls in place.
9. Perhaps most importantly, you have not enabled the security controls that are already built into your operating systems and applications, such as strong authentication, file and database access controls, encryption, personal firewalls, patching, logging and so on. So many of these are overlooked, yet they can offer a ton of value without you having to spend an extra penny on third-party solutions.
My reasoning behind all of this is that you cannot throw money and technology at underlying business problems and expect a long-term solution to your organization’s information security needs. Furthermore, you cannot fix what you do not acknowledge. Technology solutions such as firewalls, intrusion prevention systems and encryption often mask other problems for which management is not willing to be held accountable. Solid policies and processes can substitute for technology solutions and are often a better long-term alternative.
The harsh reality is that security does not come in a box; however, it is often portrayed that way by the vendors. Buy our product or service and you’ll be “compliant” with whatever regulations. Likewise, technology should not drive business decisions and processes. Do not fall into the trap until you step back and look at information security from a business and risk management perspective.