Security, Lies and Sales

/

"Intelligence plus character - That is the goal of a true education" - Martin Luther King Jr.

ContentConnect@Flickr

ContentConnect@Flickr

Last week I read an article from one vendor describing how to "bypass" another vendor's security.  It wasn't the fact that the article was completely incorrect and misleading that sat me back, it was the intent.  I've had the pleasure of being intimately familiar with both sides of the security coin, practitioner and sales.  I have seen the incredible value that some vendors have brought to the landscape and, unfortunately, the harm that others have done as well.  Advancing our industry and maintaining the credibility of our roles are hard enough without being undermined and mislead by unscrupulous vendors.

As a security practitioner we've all seen our share of questionable sales individuals and tactics.  It's an unfortunate part of life that we must question the ethics and morals of the person on the other side of the table.  However, it's even more traumatic when our very mission and nature requires us to be farther above the "moral line" than others.  When your vendor, consultant, partner, etc even hints of something that is in violation of that we must instantly give pause and question if we want to continue.

Things I look out for:

  • Discussions that directly or indirectly say who their other customers are.  This is not talking about reference customers but all others.  Are they talking about you to other organizations, etc?
  • Discussions about their competitors failings.  it's way beyond how they compete feature to feature, service, etc.  It's the negative talk about their failings, etc.  This is especially true when a vendor is compromised.  We've all been there and I wouldn't wish it on anyone.  It's in poor taste to use other's challenges to life yourself up.
  • The magical product that cures all of your ills.  This is probably the most common issue i've seen.  No matter what your need is their product will fix it for you.  SOX? PCI? APT? SDLC? Culture?  Don't worry... we've got an app for that.
  • Discussion about their products capabilities well above reality.  I understand marketing but when their capabilities are flat out false it forces me to question all statements.
  • False statements about competitor's features that are false.  It's one thing to do a feature comparison with a competitor.  It's another when you state they don't have that feature or capability to only better yourself.  It's even worse when you post those manipulative comparisons.
  • Engagements beyond the normal.  Having a dinner or expo pass being to you is one thing.  Trips and other more lavish gifts is another.  It's even more questionable when you are being courted vs. an active customer.
  • The highly inflated cost model.  This isn't as much a sales person as it's really the company itself.  When you are selling a server security product that costs more than the operating system itself, that might be a problem.  When the price miraculously gets cut by 50% or more at the end of the quarter, that might be a flag.  I understand profit but gouging is not good as a customer.

Death of a CISO

/
kingkong21 @ Flickr

kingkong21 @ Flickr

Over the past 7 years or so we've had the introduction of the Chief Risk Officer (CRO). Mostly within financials, it's starting to get a lot of steam in other industries. In addition to that role rising we are also seeing, much more recently, the separation of the CISO role to compensate for two different functions. The first is the operational component of security which is the firewall management, vulnerability scanning, incident response, etc. The second being the governance and risk management disciplines that are still fairly new to our industry. What's interesting is that I'm starting to see, for the first time, that actual separation of the CISO role, which used to contain both of those roles, and become separated. The operational role is staying with the CIO or respective head of technology and the risk component is moving to the CRO organization. Some have call it Information Risk Officer (IRO).

I think, where it's fairly new now, it will be the migration of the CISO role. We could eventually see the CISO role deprecated completely in 5-10 years as this picks up steam. Where some might see this as the end of our ability to properly secure our environments I see this as a fantastic opportunity to drive proper risk management into corporations. With that, Information Risk or security risk should be a major part of it. Historically, we've struggled at creating and implementing a good risk management approach in industry and we are just now breaking through that ceiling. I see this as an opportunity to shatter that and accelerate our ability to move our industry forward.

So what's a current CISO to do? Like my mother always said "Do what you love". Are you a risk / governance individual or an operational one? To that intent, learn and grown that discipline and market it internally. If you are a IRM individual learn the other disciplines of governance and risk and learn how to include security into that ERM model.

CISPA is stalled?

/

It looks like the bill that we need to drive an ability to defend our organizations and country from the onslaught of attacks over the past 7 years is getting resistance in the Senate, as noted in an article on Huffington Post today.  I have to say I'm disappointed in the reasons.  I've seen a lot of articles talking about the "Fear, Uncertainty and Doubt" of CISPA but the fact remains it's just that, FUD.  CISPA does NOT allow for the unfettered sharing of information between the government and corporations as Bill Brenner suggests in his CSO blog posting yesterday.  Now I like Bill, a lot, but I completely disagree for a few main reasons.

1) I've worked in this space for many many years and there is no one more supportive or passionate about citizen's privacy than those I've worked side by side in the U.S. Government.  Not only that but there are more lawyers in standard meetings than you can shake a stick at and their main focus is to ensure laws and privacy rights are not violated.  Now I'm not saying we rest our laurels on that but this notion of "the wolves will come out" is just counter to my experience.

2) The bill is clear in it's statement for the sharing of information.  It's not unfettered or for "any" reason.  It's clear around a few main areas.  Child protection, National Security, Criminal Actions, etc.  Anything outside of these reasons would fall back to standard laws around the protection of privacy.  Beyond this there is no allowance for a government entity to just come to my office and say "I'd like this" and we are legally protected.  There needs to be a clear crime or other issue stated above AND my lawyers have to agree.  It isn't forceable.  Anyone who's worked in corporations and dealt with the legal team knows that they are the largest risk elimination team out there.

3) The notion that there is the government won't share information, doesn't have any information, etc is false.  The main problem that exists today is that they can't share information.  Primarily due to the fact that it's classified or limited to an active investigation.  This bill goes a great way in clearing the path so that they CAN share that information.  Without it the main areas of citizen compromises will continue.

There is more that I can and have said about this.  Short point is that we need something passed to allow our companies and government to prevent the attacks that ARE, not could, exposing our citizens' private information to malicious individuals.  The irony is huge, in my opinion, is that we are trying to protect citizens' privacy and it's the privacy discussion that's preventing the bill to be passed.  It's been over seven years we've been dealing with this problem.  It's time to act now!