I’m a dirty vendor. That
may not be the best way to start a serious dialogue about security product
effectiveness, but I hate to read a post on security theory by some insincere
tie-wearing wonk only to discover afterwards that he or she is Lord High Poobah
of Marketing at “Scaring You For Profit, Inc.”
So I’ll just tell you who and what I am up front. I may have to wear the
tie, but I don’t have to be _that guy.
_Continue at your own risk.
August 17, 2016 , 7:30 am
August 15, 2016 , 12:57 pm
August 12, 2016 , 11:01 am
The company I work for, Mandiant, provides incident response and computer forensics services to the private and public sectors. When I talk to customers, its often about managing the
constraints of their budgets while deploying new technologies to address
emerging threats. On top of established, often mandated legacy spends (think:
firewalls and AV) information security professionals are presented with a wide
array of technologies to address the changing landscape of miscreants,
professional criminals, and state-sponsored actors that threaten information
The challenge for them (and us): implementing effective security
measures in the face of budget constraints and externally-driven mandates. In my experience, this conversation usually features
customers lamenting the cost of ineffective but “required” technologies and the
expense of investing in new, future-facing solutions, often from small and
specialized vendors.What I don’t hear –
or see -isis information security practitioners evaluating the effectiveness of
the technologies they buy.
When is the last time you really studied the
effectiveness of your security technologies and compared them against their
cost? “Security metrics are hard” is a
weak excuse – there are a number of common sense approaches you can apply:
Thinking about advertised versus applied value is a clean and
logical way to assess the true worth of a security technology. Vendors set product
and service pricing based on the value we think you should get (and be willing
to pay for). It is then incumbent on
you, and the marketplace at-large, to figure out what the actual value is and
then assess vendor performance based on your willingness to spend.
Of course, information security has another driver that
distorts the clean, logical flow of market fundamentals: compliance. I won’t
bother with an anti-compliance screed here – you can find plenty of others more eloquent on
Compliance has its place, but it has less and less to do with managing
risks posed by real threats.
Compliance-only technology spends should have the same shape
in your budget: lowest total cost of ownership to get a ‘check in the go
box.’ Why? Because you have limited resources. You need
to preserve budget for things that actually matter, namely: countering threats
and mitigating risks to your information assets. If compliance forces your hand to invest in
something that has little or no risk mitigation value you should be a very
thrifty shopper indeed.
I’m not saying compliance spends have no risk mitigation
value. I’m saying they don’t _automatically _have value. You need to assess the advertised value of
the compliance-oriented control and associated technology versus its applied
value in your environment, and invest accordingly. For a control technology with reasonable
value (I’ll refer back to NIDS – not for detection, but for response): buy
solid technology your team can actually use, as well as the training for them
to use it well. For a meaningless
checkbox technology that doesn’t lower your risk (the guilty shall go unnamed):
spend as little as possible and blow the dust off when the auditors come
In addition to assessing product effectiveness and
identifying true value, you need to manage your vendors. We are simple creatures responding to market
demand. Invest your time and money in the security products that matter by
evaluating their worth to you. Share your assessment of effectiveness versus
advertised and applied value with your vendors.
Bring them up at the sales meeting and offer a blunt appraisal of your
return on investment. If you are buying compliance technologies that have
little to no value for addressing current risks your enterprise is facing, be
honest with your vendor. Let them know
how you view their contribution. Put them on notice that to win business beyond
the compliance need, they must demonstrate actual value in the face of modern
This really boils down to being an educated buyer with
realistic expectations about the computer science behind security challenges. ’Protect
me from everything’ isn’t a realistic expectation. Conversely, ‘pay me like I
protect you from everything’ isn’t a realistic vendor expectation.
Dave Merkel is Vice President of
Products and Threat Management Services at MANDIANT.