On Friday, I discussed Joshua Corman's contention that "there is no perimeter," and my take on the phrase. That was only one of seven "dirty secrets" of the security industry he mentioned at Interop Las Vegas. Another is, he tells us, that security has grown beyond "do-it-yourself."
On Friday, I discussed Joshua Corman's contention that there is no perimeter, and my take on the phrase. That was only one of seven "dirty secrets" of the security industry that he mentioned at Interop Las Vegas. Another is, he tells us, that security has grown beyond "do-it-yourself."
Complexity and the vendor
The idea is that securing your information and other resources has become such a complex task that your business simply cannot do it alone. Security industry vendors would have you believe that the help you need is the security software they can provide. Send them a few thousand dollars, and they'll send you the key to securing your kingdom.
As IBM/ISS security strategist Corman pointed out, different businesses have different needs, and this makes the typical security vendor's "one size fits all solution" a less than ideal approach to protecting your resources. He suggested that "it's not enough to have the right tool. It needs to be installed and configured properly for the environment."
In translation, he said that you can't just buy the "one size fits all solution" and add it to the pile of precautions you use to protect your network -- you have to make sure it's properly deployed for your specific needs, too. Of course, even that is too simplistic. The truth is that "the right tool" usually isn't such a security vendor's solution at all.
His explanation implies that the correct way to handle things is to get yourself a "best practices" security tool, and get yourself a security consultant who will make sure you won't misuse it. You just don't know enough to take care of it on your own -- to do it yourself -- so you need an expert.
While you're getting an expert, though, you should get one that knows more than how to configure whatever security vendor's "one size fits all solution" got a full page ad in BusinessWeek. If you're going to retain the services of an expert, you need one with the right skills -- someone who can perform an effective network security assessment, someone who takes a principles-based approach to security rather than a tools-based approach, and someone who develops solutions to your problems rather than just buying a solution and selling it to everyone that comes along. There's something else your expert should be able to do, too.
Do it yourself
The best outside security professional is not the great and powerful Wizard of Oz, who knows all the secrets to your security needs and fixes them all for you. Security is not something that should be about getting things done for you to protect you from some nebulous "them" who threaten your resources. Instead, the best outside security professional for you is the one that helps you get and maintain control over your own resources, that helps you achieve independent security.
When you always have to rely on outside help to deal with security, your security is only as responsive, reliable, and trustworthy as the outside help. Requiring an outside security professional to understand how security works for you means adding more potential points of failure in your security. Every outsider you have to rely on is another potential flaw in your security. The best security is independent security.
That doesn't mean you shouldn't ever seek outside help. You can't reasonably be expected to write your own security software, put together all your own security solutions, and keep track of all the developments in the security state of the art, all at the same time that you run the rest of your business -- at least, not without running substantial risk of failure. You should, however, take charge of your own security solutions development.
The best outside security professional is the one that will help you get started, and will help you figure out how to take charge of your own security solution development in the future. Outside help can be valuable, both to help you get started and to help you keep abreast of changing needs and changing threats, but outside help -- whether it's a security consultant or a security vendor -- should never be the center of your efforts to secure yourself.
What do you do when someone develops an exploit for your security software? What do you do if your outside security professional gets hit by a bus?
You do it yourself, one way or another. Doing it yourself doesn't mean you can't get help. Just remember that the one person you can best rely on is yourself.