Current events word play aside it is a question that all people in charge of their organization’s information security should be asking. Now in the interests of disclosure, I am a sales engineer for a company that wants to sell you security solutions, but bear with me… there is a lot of relevance to this conversation.
As a member of our sales staff, I visit a lot of customers in all verticals and markets here in the Pacific Northwest. But in the early days of Tripwire I ranged all over the country including Minnesota where certain companies find themselves in the news.
Talking to information security ninjas, in general, is an interesting experience. But its especially fascinating to talk to those at particularly large companies. The needs, wants and abilities of the security ninjas at these giant organizations is often a completely different world when compared to small to medium businesses. Sometimes they understand the need for products like the ones we sell and sometimes they don’t.
Its the ones that don’t feel like they need us or other security solutions and their reasons that I find interesting… Often its the classic response that they just don’t have the money or budget for a project involving Tripwire’s solutions.
Other times our competitors get in there before us or are able to convince the customer that their solution is the way to go. But the response I find most interesting is: We can do that ourselves or we have a homegrown solution already…
As a technical person who has been in the security space for the last 14 or so years I think that this is an answer that makes me pause the most. Of course, they can do it themselves. Just about any IT ninja worth their salt can write a script, application or even a batch file that “can do what Tripwire does…”
The question, however, is should they?
Often I am in the room with the person who has done exactly that. It certainly makes for some, let’s say, animated conversations and meetings about how they do it and why they think its better than what Tripwire offers.
The end result is fairly binary. They either get it or they don’t. The do it yourself crowd likes to pat themselves on the back for a number of reasons. First: Look how much money we just saved by not buying an expensive solution… And B: How lucky are we that we have such smart people that can write these little scripts that can do kinda sorta what Tripwire does.
At this point there is not much my sales people or myself can do. But let me ask you this question. As a security ninja who would you rather go into battle with the pirates with: the ninja who shows up with the random piece of steel he beat into a sword or the ninja who shows up with the finest piece of Hanzo crafted steel.
At the end of such meetings we politely shake hands and move onto the next meeting. Afterwards over a beer I will commiserate with my sales guy… usually the outcome is the same.
In a about a years time the customer will either bring us back in because they could never get the results they wanted, or the self made script couldn’t scale, or the guy that wrote it left and they couldn’t figure it out… That’s great. We are more than happy to go back into such an opportunity and help them with their problem…
However, every once in a while though the worst happens… said company finds itself in the news… they were the victims of a breach and important data was stolen… I hate to be the guy who sits back and laughs and usually the tragedy of the situation keeps me from doing so but
I certainly have to admit a sense of vindication or schadenfreude. How much money will the organization now have to shell out for fines, lawsuits, credit protection services for each of the affected customers, lost opportunity, stock drops, and so on. They probably could have bought my entire company for that amount of money never mind the cost of a few licenses of our software.
Think of it this way, do it yourself is fine when you are hanging a ceiling fan or installing a new light switch but there are just some tasks that need to be performed by a professional electrician, or plumber because the consequences of not hiring a pro can be disastrous or maybe even fatal.
At this point you can imagine that the phones at these companies are ringing off the hook with calls from security vendors and each and every one of them is touting how their software or solution can help them, heck… our company is one of them, but if you are a CISO, VP, Director or Manager of your organization’s IT Security Ninjas and you have not yet suffered the indignity of a public breech… you just have to be asking yourself… Am I a target?
And if I am what would I want to be using to fight off the pirates… an unproven do it yourself script? Or a purpose built proven in the market place solution… Am I a target? You may already be…
- Is the Audit Committee Really the Secret Sauce for Cyber Security?
- Why the Security Stack Has Ten Layers, Not Seven
- Reacting Faster and Better with Continuous Security Monitoring
- Managing the Complexity of the Attack Surface
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock