I'm here at the ISSA International Conference this week in Baltimore with many of the IT Security leaders of our industry ... with some of he usual cast of characters from across the industry. One of the conversations that keeps popping up is how to get beyond the features of all the shiny new security products that keep hitting the market, always solving new problems you the CISO didn't know you had. All these interesting features, all these problems with everyone having a 'solution' ...so what are you spending your shrinking budget on?
I think the conversation between the industry experts (whoever they are), the industry vendors, and corporate security leadership is all wrong. From the chief information security officer's (CISO) perspective, listen to the pitches the vendors give you... listen to the basis for the solutions you're being asked to spend money on. Lately it has been about 2 things: FUD primarily (that's Fear, Uncertainty, Doubt) and features secondarily. What's wrong with that?
Well, if you base your approach to helping enterprises reduce technical risk on the security catastrophe du jour you demonstrate a clear misunderstanding of the problem space, at least in my eyes. Let me give you a concrete example. Now that the Duqu worm has been discovered and classified as "Stuxnet 2.0" ...many of the antivirus vendors are using that as a springboard to talk about their new solutions. Wait, let's do a quick reality check. Last I checked the reason that Duqu was not caught for 12 or so months is that there are no effective "antivirus" strategies or products against that type of threat. So if you're selling antivirus to a CISO (well, if you're selling antivirus to a CISO in 2011 you have a bigger issue...) based on Duqu - you're demonstrating you don't understand threats, and mitigating controls for these specific types of threats.
Additionally, if your entire product pitch is around the latest and greatest new features (read: shiny objects) then you may just be missing the forest for the trees, as they say. All those features are great, but features are a momentary sedation. Featrues may address a particular problem at a point in time, but features come and go when the threats change. If your products and services don't address technical threat at the appropriate level you're doomed to repeat the "Look, shiny new features!" cycle and will continue to spend corporate capital on products that likely don't contribute well to an actual solution.
So why do vendors keep selling you "solutions" when they don't understand your problems? I wish I knew.
But hey, I work for a vendor, and I'm talking about it, so that's a start. I fully advocate actual solutions which typically entail several products and services ...not to mention changes to corporate culture, improvements in process, and education of your employees.
Take for example Enterprise Security Intelligence. Gartner talks about ESI like it's the Holy Grail of security. I agree. The problem is that ESI is rarely something that a single vendor can sell you as a "solution". As a concrete example, HP's ArcSight asset acts as our central nervous system for the ESI concept, and our TippingPoint network security products and Fortify software security products contribute to the data that the nerve center has to work with. But the story doesn't end there. To get a good ESI program going, your enterprise must incorporate applications you build, your infrastructure elements such as your servers, routers, and authentication/authorization systems, and even physical security components. You can't have ESI, true ESI, without nearly everything in your enterprise working in concert. This involves processes changing, education happening, and many, many other moving parts. You can't get this solution from a box, but it's one of the only effective ways (or the only effective way, if you subscribe to my mindset) to protect the modern borderless enterprise.
So can we get beyond the features? I hope so. My talk (which I will post over on my HP blog, Following the Wh1t3 Rabbit) on the Future of Software Security Intelligence certainly has elements of this post in it, and I will continue to push you, the industry leaders to think beyond features and FUD. Join me in fighting the 'shiny features' onslaught, and let's move toward a truly intelligent, real-time reactive, security enterprise.