How to be an effective security buyer

Make sure every tool or appliance you buy can be applied to different types of risk and attack

In previous columns I have repeatedly emphasized the importance of interoperability and the danger of security fragmentation. Security is so fragmented that it is often hard to discern between hype and reality. Large security vendors try to draw you into a single-vendor closed integration package. Small vendors try to sell you the latest magic bullet, presenting what should be a feature as a whole new industry. Inevitably, you are left to cobble together disparate systems in order to get the depth of defense and layering of controls that you need.

MORE ON SECURITY: The Sony PlayStation breach notification letter that broke 77 million hearts

Here are some quick tips on how to be an effective "buyer" of security:

Never buy a single-purpose tool. Inspired by Alton Brown, who advises not to buy kitchen tools that are "uni-taskers" (e.g. a cherry pitter). Instead, make sure every tool or appliance you buy can be applied to different types of risk and attack. Widely applicable tools that are not specific to one threat will make a more effective toolbox and will provide deeper defenses and more overlapping layers of defense. Evaluate whether the tool or security solution covers:

•External and insider attacks

•Malicious and inadvertent incidents

•Know and unknown threats

•Automated and targeted attacks

• Heterogeneous OS and platforms (including mobile)

Avoid management feature overlap. You don't need another reporting engine for compliance. You need the tool to integrate with your existing reporting engine. For each of the following areas you should think about building a multi-vendor, open-standards based, shared infrastructure. You should avoid replicating these functions in every tool:

•Logging and auditing

•User, group and role directory

•Policy management

• Alerting and notification

Focus on assets, not threats. A tool that protects any asset against one specific type of threat (e.g. guns, but not box cutters) is not as useful as a tool that protects one asset against any threat (e.g. reinforced flight-deck door). If attackers can simply switch attack vectors, they will. If they have to switch targets you have disadvantaged them.

Mortar, not bricks. The part that makes a wall strong is the mortar, not the bricks. Disconnected bricks fall down with a slight nudge. Buy "glue" software and security solutions that tie together various controls, monitoring systems, notification systems, etc. A well-integrated system with fewer controls is better than lots of disparate controls with no glue.

Empower people. Security cannot be automated as much as you'd like. Human adversaries will always be smarter than automated tools and will leverage human ingenuity to skirt around your protections. You can't replace well-trained security professionals exercising judgment with computers. So empower the people by giving them tools that multiply their impact and productivity, instead of trying to replace them.

Standards, standards, standards. Interoperability and "glue" infrastructure requires open APIs, open protocols, open formats and open standards. How do you know it's really open and not just a committee endorsement of pseudo-standards? Look at how many different, potentially competing companies can interoperate using the standard. Ask the vendor: "Which of your competitors uses this?" If the answer is "none," then it's not a standard.

If all security buyers make slightly different choices, the industry will shift, dramatically and rapidly. There has never been a greater need for change in our industry.

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitysony

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Andreas M. Antonopoulos

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?