I am posting this column from my seat aboard another flight—this one from Cleveland to Las Vegas. I am more than willing to swap Cleveland for Las Vegas almost any day, and I’m looking forward to the warm weather and a few hours playing Blackjack. I’ve just pulled my headphones from my Swiss Army™ Trevi® ballistic briefcase and put them on to combat the noise as I type. No, I am not dropping names; I am making a point.
The briefcase was a recent acquisition to make air travel less onerous. I had dutifully carried my company-issued laptop bag for four years. It was made of quality leather and protected my laptop well. However, it was always a hassle at the passenger screening area. The bag fits the laptop snugly, and it had to be completely unzipped and opened up in order to remove the computer for the TSA X-ray. And when the top was open, items stored in the small front pocket tended to drop out onto the conveyor belt. It was maddening scrambling after coins, phone chargers and pens in front of the portal.
I finally opted to buy what I knew I needed: one of the new Swiss Army™ briefcases. They are not inexpensive, and I got “that look” from my spouse when I showed up after a trip with one. I did my best to expound on the inadequacy of the current set-up, and made the case for the pricey alternative.
I told her the Swiss Army™ bags are designed with the laptop compartment easily accessible through the top of the case. My laptop can pop right out of the top of the bag without any disruption to the other contents. In addition to an ability to expand and contract, it offers discreet attachments to handle my water bottle, keys, and mobile phone. The bag can be slipped over the handle of my rolling checked bag, and there is even a place for my umbrella. The acquisition has made my traveling life much more bearable.
I make a lot of purchase decisions this way—by determining and prioritizing my needs, then finding the product that best fulfills them. I feel the same way about the cars my wife and I drive. After many years of owning a variety of mostly new vehicles with widely varying results, we have settled on Hondas.
As I have grown older, if not necessarily wiser, the automobile has taken on new meaning for me. As a young adult, I felt I should be defined by the car I drove. It represented a form of identity that showcased my tastes and even (as silly as it may be) my social status.
I now look on cars as an appliance. They need to get me and my family where we need to go with cost-effective comfort, safety and reliability. I no longer go to the car dealer’s lot seeking the priciest or trendiest vehicle I can afford. I save the money for a car and pay cash for the vehicle that will best meet my three criteria. My father had it figured out many years earlier when he suggested I need not spend money I didn’t have, to buy something I didn’t need, to impress people I didn’t know.
For many of my clients, I find it valuable to describe a similar approach to defining, selecting and implementing security safeguards and countermeasures. First and foremost is the need to develop objective criteria for these technical and procedural solutions. If you simply follow your gut instinct—or worse, your emotions—it is likely you will fail to discern the real functional requirements and thus not make the optimum decision. Many decision makers make this mistake when they blindly accept the claims of vendors or react to those who spread FUD: fear, uncertainty and doubt. Determining your specific security requirements is the key to making the best decision.
The cheapest solution is not always the best or most effective. Even with sound criteria established well in advance, it is important to take into account the reputation of the company behind the product. I factored brand reputation into my recent purchases.
When your security plans call for investments in safeguards and countermeasures, start by making sure you understand exactly what you expect from your investment. Then outline specific criteria to provide a sensible sounding board for anchoring your decision. Brand names can provide a level of assurance in your purchase. Even if problems arise, a company’s reputation can ensure you have a way to seek quick and effective responses.
I know of quite a few cases where the security staff made a decision based on short-sighted objectives. For example, a large government agency with which I am familiar made the choice to go with a small but eager security start-up for some critical analytic tools. The start-up certainly had a jump on the larger vendors with a unique technology solution and attentive salespersons. In fact, this was going to be their single largest sale to date. The agency made the purchase, and the tiny company trumpeted the sale in press releases and Web announcements.
Although this new product had a demonstrable technical advantage, it wasn’t long before the established security product companies were catching up. At the same time, the start-up was finding it difficult to replicate their sales success with other government buyers, and an unsuccessful round of mezzanine financing soon resulted in the company closing its doors. The government agency was now saddled with an important security tool that was no longer maintained or supported. They eventually were forced to buy a similar product from a more established vendor that resulted in increased cost and delays in deployment.
Of course, a company’s size and reputation will not guarantee the best solution. Most of these large vendors started not so long ago as that small start-up seeking to do battle with the industry giants. But the sometimes-brutal cauldron of capitalism ultimately will define the winners and the losers. There are usually good reasons a company joins the ranks of the former. And those reasons almost always include quality product. Aren’t you glad you bought that?
John McCumber is a security and risk professional. He is the author of Assessing and Managing Security Risk in IT Systems: A Structured Methodology from Auerbach Publications. Mr. McCumber can be reached at firstname.lastname@example.org.