Blame the Vendor, Blame the Victim Isn't A Game Worth Playing
A recent post at the ZNet's Threat Choas Blog describes a conversation at an IT conference between a the blogger and the CIO of a major branch of the military.
I engaged him in conversation about network security and he lashed out with “you security vendors are always trying to sell us a new box, you are a money hole we keep spending on but we still get hacked”. This is one of my hot buttons. Pinning the blame on the security industry for all the different solutions that do not inter-operate is a favorite game played by industry pundits and CIOs.
Finding solutions to the CIO's security problem would probably be easier with the vendor's help and vendors will sell more boxes if they have more helpful responses than retorts like
No sir, you have not spent enough on security.
The CIO is right, it is hard to get systems to inter-operate but that is a problem across IT, not just security. Ever try to get a couple of different Oracle products to work well together? Think it's a simple matter of throwing a CD in the drive and running setup.exe? Not a chance. Many of the applications we use are complex and difficult to configure and manage on their own, let alone integrate with others.
Vendors have an opportunity to improve security management with better support for integration. It's not easy, there are a variety of reasons this is hard but improvements are coming. Consolidated reporting is a good start.
Adding more boxes won't solve the problem completely. Security practices matter. Start with ISO/IEC 27002 or SANS What Works if you don't know where else to start.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
