The hardest part about security has always been that it is an insurance sale. Whether acting as a consultant, part of an internal security team, or a vendor – it’s always a sale. As security professionals, we are used to selling against the likelihood of painful things happening. We all know that pushing security upon organizations is like selling life insurance. We wag our fingers, tell stake-holders that “Pain will happen to you, sooner or later, so think of the company,” and try to get everyone engaged. That can be effective, but is problematic when the operations side of a business is to contemplate the cost of implementing new or different security (a pain in and of itself – and one that can be more costly than the security itself).
Using the recent Target data breach as an example, I can safely predict that many a security person will use it to push for security on the insurance-logic of “this could be us/you”. It’s a limited window when security has greater pull than operations; and it will quickly go back to business as-usual as the immediate pain subsides. The bottom line is that there are well-established roots in all of us that explain this behavior; we heavily discount future risk. We know this about ourselves in many ways, even how we react to natural disasters. That means that even a massive breach may be quickly forgotten, which leaves only a very small window for upgrading security.
In a business-as-usual situation, making the case for better security is difficult. Disrupting operations for the sake of security is rarely possible. Network and security admins may well-recognize the need for better tools. It could be as simple as looking for a second vendor to overlap capabilities (one vendor at the perimeter, another at endpoints, for example), or finding a technology that is a better fit for an evolving operational environment.
The opportunity for security folks in virtualization or public cloud adoption is that there is prolonged disruption. For example, concentrating workloads with software-negotiated solutions (hypervisors and their management tools – virtualizing) sets-up an opportunity, even a priority, for finding new approaches to security as the datacenter experiences a wide-ranging overhaul. In other words, if you are a security professional looking for a reason for justifying an improvement in security, don’t look to security in isolation – look to where big changes in operations are happening.
To use a very generic example, let’s say that a company is pursuing a significant virtualization strategy in their datacenter. That means that most of the servers will be moved from traditional, physical systems to running on hypervisors. Just about everything, from networking, to hardware, storage, monitoring, and so on, changes. In that change is a ready-made rational for re-examining security.
Following that example, security folks can easily leverage the change. Virtualization tends to happen to servers before end-user systems. When looking at endpoint security for the servers, security teams may have in-mind a best practice of running a different solution on servers as on end-user systems. While nothing has changed with end-user systems, the servers are running in a very different environment than before. If there are compelling reasons that both operations and security teams can get behind, then re-examining the security running on the server endpoints will be a business-friendly undertaking. For once, it’s not selling insurance – it’s selling security upgrades with an operations-friendly business case.
Of course, there are two keys to make this strategy work in an organization; first, look for the security advantage (the simplest is identifying vendors other than the one being used on end-user systems); second, look for vendors with compelling functionality that is built for virtualized environments. Simply finding another traditional security solution for a highly virtualized environment is like dropping Ford brakes into a brand-new Porsche. It might technically work, but it’s not going to help you move any faster in that machine.
What to look-for in solutions for virtualized or public cloud environments are actually pretty simple. Find solutions that were built for those environments, not same-old technology that has had a new whiz-bang feature added to make it kinda-sorta work. If you run a full VMware shop, starting with vShield Endpoint integrated products is a good start. If you run non-VMware or mixed environments, you can still start with vShield-integrated kit and work your way out from the architecture of the endpoint protection. From there, you’ll want something that doesn’t require retraining, doesn’t hurt when contemplating a replacement (easy to deploy), and obviously, actually does a good job of securing things.
In the end, security teams should embrace disruption. Hopefully it’s not the awful kind, as the team at Target is likely experiencing, but rather a positive operational mass-change. Take advantage of change, because advocating a rip-and-replace in a steady-state operation is difficult, to say the least.
