Security Specialists in product decision making….

January 5th, 2008 Drazen Drazic Posted in Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, governance |

The old adage, you get what you pay for I reckon comes back to haunt us security people more than many. It’s still more the rule than the exception so to speak in many organisations that IT security specialists don’t have a say or even better, the final say on what products or services are implemented into an organisation. We see it all the time.

Why did you buy that product or service? Response from IT Security Manager; “It was not our call in the end. We gave our strong recommendation but the CIO went with something else!”

Let’s call it how it is. Many CIOs and major decision makers/stakeholders outside of Information Security make a call on price vs. quality. They also make decisions on how well they have been “treated” and “sold” by sales guys. (Not saying our own IS guys don’t also fall into that category…but most times, many IS dudes don’t make the final call).

Let me expand.

(NB; when I say product below, I also relate this to services).
Let’s have a look at the price thing. A decision is made that a certain technology is required. Now in a properly run tender/evaluation scenario, you research firstly and then test the products head to head to see what works, what is sales BS and what best suits your requirements. A smart decision at the end of the day is one that:

1. The product(s) met the requirements during evaluation/testing. (NB; Many do on the face of it because the vendor says it does, but do they really?)
2. The price of the product is inline with budget and benefits (wanted/expected) it will provide. (Aside: We see so many managed services around perimeter security, ie; firewalls, IDS/IPS etc that are just a waste of money but go back to point 1 above and ask, did we have our requirements right?)
3. The system will actually work in the organisation and is scalable (if required). This is key! The millions of dollars we have seen squandered on rubbish is scary!

Why is it that so many organisations don’t actually follow any of the above? Seems like common sense doesn’t it?

I’ve lost track of the number of times we’ve seen the IT Security guys unanimous in their decision on a product or service but decision vetoed by senior management - many times due to a last minute large vendor smooching of the senior management - include FUD against competitors, a magical drop in price, BS aplenty…….leaving the company with a large investment in crap. Related (last response is worth a read):
http://beastorbuddha.com/2007/10/16/integrity-of-annoucing-new-silver-bullets/#comments

Few organisations consider long term pain vs. short term price advantage. Let’s just get the cheapest one now without any consideration that in the long term, the cost is going to be greater and the benefits/value far less. Pain Pain Pain.
Sales guys for major vendors have a job to do and that is to sell you their product. Most of them have little real-world experience in their product implementations and are only focussed on making the sale to ensure they’re reaching their own sales targets. They won’t have to use the product for the next few years and when they move onto another company, sometimes a competitor, they’ll start the process again - only this time, the product is far better than the one from the company they just left!

Expert security people need to become part of the decision making process:
1. Is the product required at all? Does it service a requirement?
2. Does it satisfy the requirement fully?
3. Does the investment in the product vs. risk and threat make it a required/good investment? (Think long term not just day 1 cost)

I know there’s more detail to it but the 3 points above cover the basics. Let’s not complicate it more as it’s already a problem for many organisations.