Get with IT

March 18, 2010
9 good reasons not to buy information security products

Information security vendors seem to have all the right stuff. In the last few years, they have cropped up with solutions for seemingly every possible security need. Be it software, appliances or cloud-based services, they have just what you need to address all the threats and risks your business faces — at least that’s what their marketing and sales folks will tell you. From general regulatory compliance and risk management to more specific solutions for data leakage prevention, mobile encryption and malware obliteration — there’s no reason your information systems should not be completely secure, right? Not hardly.

Don’t jump on the bandwagon just yet. There are some signs that you are not ready to buy any new information security products — regardless of what the vendors promise. Here they are in no particular order:

1. Management runs the business in a vacuum and has no clue about information security.
2. An outsider has told a decision maker inside your business that all they need is a certain technology or two to be safe and secure without either person truly understanding the risks and what’s best for your specific business situation. It’s not hardly that simple.
3. Management believes that everything is locked down because they funded that firewall and anti-virus software purchase last year.
4. Management funded a high-level audit performed by a non-technical auditor with clipboard and a checklist where everything checked out A-OK.
5. You don’t truly know what it is that you are trying to protect and what you are trying to protect it from.
6. What you are trying to protect is worth less than what you will have to spend to protect it (both initially and ongoing). With all the regulations around personally-identifiable information these days, this one’s hard to refute, but I’ve still seen overly-fancy security controls guarding electronic information that’s not worth anything to anyone.
7. Users are trusted by management to do the right thing in every situation. After all, they had sparkling references and passed a background check when they were hired. No point in protecting them from themselves.
8. You have no formal security policies stating “this is how we do it here” that have been formally documented, approved by management and are supported and enforced by an IT governance/security committee. Otherwise, you simply have a wish list for information security and compliance that will never stand up against real risks — even if you have a bunch of fancy technical controls in place.
9. Perhaps most importantly, you have not enabled the security controls that are already built into your operating systems and applications, such as strong authentication, file and database access controls, encryption, personal firewalls, patching, logging and so on. So many of these are overlooked, yet they can offer a ton of value without you having to spend an extra penny on third-party solutions.

My reasoning behind all of this is that you cannot throw money and technology at underlying business problems and expect a long-term solution to your organization’s information security needs. Furthermore, you cannot fix what you do not acknowledge. Technology solutions such as firewalls, intrusion prevention systems and encryption often mask other problems for which management is not willing to be held accountable. Solid policies and processes can substitute for technology solutions and are often a better long-term alternative.

The harsh reality is that security does not come in a box; however, it is often portrayed that way by the vendors. Buy our product or service and you’ll be “compliant” with whatever regulations. Likewise, technology should not drive business decisions and processes. Do not fall into the trap until you step back and look at information security from a business and risk management perspective.

Determine where your business is at risk, develop policies that match up with your needs and goals, and then see if technology can be used to assist in policy enforcement. Edmund Burke said, "All that is necessary for triumph of evil is that good men do nothing." So do something to get started. This is the only way you can ensure that your IT and security dollars are being spent wisely. You and management might be pleasantly surprised that a ton of money does not have to be spent to attain reasonable information security. That’s a pretty good way to start off the New Year if you ask me.

Kevin Beaver is an independent information security consultant, author, keynote speaker and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent information security assessments in support of risk management and compliance. He has authored/co-authored seven books on information security including the brand new “Hacking for Dummies,3rd edition” and “The Practical Guide to HIPAA Privacy and Security Compliance”. He is also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin and link to his blog and Twitter account at his Web site