Tuesday, October 16, 2012

Saving Money with IT Security Processes. Example 13/26: Avoid Misleading Vendor Advice with Security Awareness

Article number 13 in a series dedicated to giving examples of the way IT security processes can help your company save money.

Vendors are doing their job: they try and sell security solutions and services. Ideally, they prefer to sell solutions rather than services. It's more concrete, more helpful to convince non-security people and it implies additional services in order to implement and maintain them.
In order to do so, they demonstrate the profitability by showing critical examples of security breaches and/or outages. This could be a kind of Awareness if it weren't so biased. It's biased to:
  • Concentrate fear on the subject that's addressed by the solution they're trying to sell. (Whereas the subject may not be a major concern for the company nor even a concern at all.)
  • Concentrate fear on the little points in the whole subject that the solution actually helps solving. (Letting 95% of the actual subject unsolved.)
CISOs are used to this kind of manipulation. They just go though it without even noticing anymore. For instance, as a CISO, I used to receive every day up to 30 dedicated e-mails from real people I actually met before. I didn't mind.

So, in order to still sell "solutions", vendors attack easier targets: high placed executives outside of IT Security. More precisely, they try and sell solutions wherever the CISO cannot constantly reach:
  • IT managers of remote sites where there is no permanent security team,
  • Users of packaged "IT tools not considered IT" like Telephony, Document Management, Technical Services from Logistics...
  • People interested in closely related matters: Quality, Compliance.
  • And sometimes even through service providers!
That's the costly point. If vendors are able to sell solutions, they'll sell unfit solutions:
  • Costly,
  • Uneffective,
  • Ill-centered on minor points,
  • Duplicate with what's already implemented,
  • Sometimes completely irrelevant...
Through a correct Awareness process, you'll not only touch end-users, but also management. It does the following:
  • Communicate around what you already do, → no more duplicates
  • Communicate around what you don't do and why (we'll do it later, we don't do it because it's not relevant, it's not a major concern), → no more irrelevant solutions.
  • De-mystify buzzwords, → no more ill-centered solutions.
  • Communicate about real threats and the associated risk.→ no more haste resulting in cost-ineffectiveness.