I recall a meeting some time ago with an account executive from a security provider; it doesn’t really matter which one. Since I was in charge of security for the corporation, he was interested in learning more about my security program (selling a product/service his company had developed).
The conversation was typical with what I have experienced again and again. While I tried to educate him about the problems a C(I)SO is facing, he was thinking and asking questions in terms of boxes and SOWs:
- “So what do you do for DLP…”, or
- “…what do you do about NAC…/SOC…/…Firewall…/Antivirus/Malware…/IDS…/IPS…/…etc.”, or
- “Hey, our new version 7.09 of XYZ is now capable of real-time distillation of ultrahigh-density security quarks – do you want to get a free demo? We will install it for you onsite for 4 weeks all for free…”
For those of you who have been in a similar situation, you know where I am going with this.
Needless to say, I had no one in my team that was available for a duration of 4 weeks (or anything less than that) to assess if their product was doing what it was supposed to be doing, with no clear business objective/goal to accomplish just because the vendor was there with his “little” product he wanted to place with us.
While I tried multiple times to establish a conversation about our company’s business strategy, how we tried to align the security strategy with it, how we were having an internal data classification project going on to help us understand our assets better, and how we would be doing a process analysis to have a true Business Impact Analysis (BIA) performed later to know where critical focal points should be, that person was circling back constantly to his products.
In case it wasn’t evident, I ended our relationship shortly after this discussion.
So, what are the types of security conversations that should take place before diving into products? The focus of these conversations should be to understand the customer’s business, their industry, their regulatory and competitive exposure, their risks related to data, and how this data is being used in their processes.
Only then, can we together build a vision and next steps on a maturity curve based upon their unique security and risk exposure. When the C(I)SO, the CIO, and the other C-level executives feel comfortable that that vision makes sense for them, then I am ready to ask the vendors’ product teams for their endless expertise and bring them onsite to help the customer in their needs and help the vendors to earn the money and business they certainly deserve for their innovative product developments and hopefully not too pointed (instead integrated) solutions.
I hope sales people will read and embrace this advice.
Given the recent and continuous revelations from the NSA documents shared by Edward Snowden with some news media about the NSA and how they at least influenced the tech industry in the US (and it is safe to assume that their Russian, Chinese, and other counterparts will do similar), we sure will see coming up additional customer questions about:
- the guaranteed absence of backdoors of all kinds in the product environment
- documented, adhered to, and independently audited secure software (and hardware) development life-cycles
- a cryptographically secure certification per serial number of any parts used in the system
- an independent verification of the proper installation and maintenance of the implemented product on-site
- regular, easy, (semi-automated), verified patching of any future vulnerabilities, including for so called “product-end-of-life” situations
Customers want to make the decision about when they will be going to retire a certain OS, software, hardware, or similar, by themselves and their respective business needs, and not by the folks in Redmond, Cupertino, San Francisco, San Jose, Shenzhen, Beijing, Moscow, London, Munich, or elsewhere on the planet. Just imagine a car company that would tell you they won’t build brakes anymore for your loved brand.
All the above signed and dated by the CEO and legal counsel of the providing company / vendor. Yes I know, everything has its two sides at least.
About the Author: Michael S. Oberlaender (@MSOberlaender) is a world-renowned security executive, thought leader, author and subject matter expert and has worked in executive level security roles (CSO/CISO) both in the US and EU (Germany) and in IT for over two decades. Most recently he has been serving as Chief Security Officer for the largest European cable network provider (Kabel Deutschland AG) in Munich, Germany and before served as Chief Information Security Officer for FMC Technologies Inc, a leading oil field services and engineering company in Houston, TX. Prior he was the Global IT Security Manager for Heidelberg Americas, Inc. in Atlanta, GA – the US subsidiary of Heidelberger Druckmaschinen AG -the world leader in printing press manufacturing. Before that he worked several years as Project Leader Security and Networks with Suedzucker AG in Mannheim, Germany, the world market leader in sugar and Europe’s largest food company where he has planned, built and run their complete Internet binding and DMZ solutions. He has more than two decades professional IT experience and is a member in good standing of (ISC)², ISACA, InfraGard, and several industry associations and is certified CISSP, CISM, CRISC, CISA, ACSE, and GSNA (all current and in good standing). He holds a Master of Science (Physics) from the University of Heidelberg, Germany. Michael is dual citizen (US and German) and speaks fluent English, German, fair French, and continually learns Spanish. When he is not at work, at conferences, chapter meetings, crises managing or otherwise busy, he enjoys time to relax with his family. Michael is also the author of C(I)SO – And Now What?: How to Successfully Build Security by Design, which is available at CreateSpace and Amazon.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Digital Harm – Part One of the Bread and Butter Series
- Dealing With Unrealistic Security Expectations from the Executive Office
- The Role of Security in Creating a Standard of Due Care
- The Ouija Board of Cyber Security and Risk Management
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock