I stumbled upon a nice article by Bill Brenner on blaming security vendors. Now that I am one this seems incredibly biased but I felt just the same last year. In my view there’s sufficient parity across most security vendors that the key to success is the process you place around implementation, maintenance, and measurement of any solution. I bring up Accountability a lot and this is another example.
I recently spoke to someone who’s enterprise vuln scanner deployment had been crippled – for months! To over simply:
- the team allowed the service (which the tool is part of) to go dark
- the vendor didn’t drop everything and make sure the customer was successful
Eventually the customer put their foot down and made the vendor work with them to fix the problem. In this vignette, blame goes to both parties. The key from making this a long-term problem to a short-fix goes back to process. If resilient systems are a priority for this business (they say it is), then why did it take so long, and does it really matter? After all, a (known) loss didn’t occur during this period.
I think it matters not just because of the security benefits, but tacit acceptance a key security service was allowed to fail. What was the morale on the team during this period, the perception of other IT services, the message to business users? If we expect business and IT groups to mature their services/behavior, we have to lead by example.
If you read the article, give the FOI podcast with Jack Daniel a listen. It’s 7 minutes and a nice reminder.
I know running mature processes are hard with the distractions bombarding security teams. In my experience, this is when security is at its most rewarding – remaining accountable while holding back chaos with a whip and a chair. Communicating and escalating a problem isn’t fun, but prioritizing and overcoming the problem is!