The information security space is a hot, fast-moving market; and with that heat and speed comes both good and bad.
Demand for IT security skills is outstripping the market by more than a million job openings according to some experts, which means that, along with a notoriously small community of genuine experts who make a living working to protect (or exploit) high value data, the Peter Principle is often in full effect. As people rise to the level of their incompetence, they bring with them a lot of myth and misinformation—fear, uncertainty and doubt sown to sell products or preserve job security.
I’ve talked with a lot of frustrated CISOs who have to deal with the bluster. Good, competent professionals tasked with setting strategy and acquiring tools to keep their organizations’ systems and data safe. Their BS detectors are fine-tuned and their boots are high enough to wade through the thickest of it. Here’s a small sample of the claims they’ve been told that turns them off and that has the insidious effect of tainting by association every vendor that walks through the door.
Don’t Believe The Hype:
Buzzwords are the bane of the CISO’s existence. Whatever the latest trend is, every vendor tries to figure out a way to hitch their wagon to that star, whether it is machine learning, artificial intelligence, behavioral analytics, orchestration or whatever.
“The problem with buzzword bingo is that it diminishes the truly innovative work being done by a lot of good security companies who aren’t chasing trends but are actually solving problems,” one CISO told me.
Out of Alignment:
A good technical sales representative knows their product and knows how to listen. Sometimes the CISO will encounter a pitch that doesn’t quite fit the product. Maybe it’s because the rep hasn’t taken the time to learn the product, or maybe it’s because the product team failed to convey the value of the tool they built. Either way, the result is often more hokum than hook—to the vendor’s detriment.
“I remember one especially bad pitch from an endpoint security vendor with a product focused on identifying and preventing malicious files on endpoints using machine learning capabilities,” one CISO recalled. “Yet, the pitch was about replacing existing anti-virus vendors even though their product’s coverage was weak and the effort to implement the solution was extremely high.
“Good security pitches start with a vendor that understands its product strengths and provides an honest assessment of how the solution aligns with customer needs,” the CISO continued. “A good pitch also includes fresh, unique approaches to existing problems.”
To Thine Own Self Be True:
A CISO’s mandate requires that they understand the makeup of their organization in order to assess and address risk. That means knowing the technical environment, how data moves within the systems, industry-specific threats and regulations and company culture. Once this knowledge has been acquired, a meaningful strategy can be drafted for the organization’s needs.
When a vendor comes in for a presentation and, after only a few minutes, claims to know precisely what your challenges are and how to solve them, that’s a major red flag for the confident CISO.
“I hear hyped up pitches all the time; powerful messages offering Holy Grail solutions. That’s why it’s important to ask tough questions and test the vendor rep’s spiel,” One frustrated CISO said. “You know your risks best, so keep the focus on what you need done first. Ask specific questions that can’t be answered with rehearsed lines. Once you have that alignment, focus on validation post-implementation and how well the controls will operate to continuously reduce your risks.”
Separating Fact from Fiction
What’s the best way to separate vendor facts from fiction?
Once you put the vendor to the test, a CISO said, the pretenders are easy to spot.
“When you start asking specific questions you find a lot of vaporware with no demo, or fancy interfaces being presented as new and novel security solutions with nothing under the hood. I am still surprised at the number of companies that make the effort to get in for a pitch but have no practical architecture for any feasible deployment in an existing environment.”
Another way is to “play the hacker.” My colleague, Itzik Kotler, CTO and co-founder at SafeBreach, states that, to not fall for snake oil claims, it is important to gain the hacker’s perspective. “By understanding what is possible from an adversary, you can better judge your defenses and controls, and quantify what’s working.” In other words, get your red team or “automated breach and attack simulation technologies” into the mix to test the claims from vendors.
Finally, it’s important to connect with the experts behind the scenes.
“The onus is on us as CISOs when we hear the pitch to ask the vendor to go deep,” a CISO said. “For example, take a claim like machine learning and ask the sales team to pull in the CTO, chief scientists and other experts to help drill-down and understand the nature of the algorithms. This takes extra time, but it’s worth doing because we rely on efficacy of these technologies to help steer our decisions.”
The lesson for the CISO community—both the newbies and the grizzled old veterans—is to make the effort to stay on top of state-of-the-art for our industry. IT security evolves faster than we realize and the pace of innovation is astounding. It is important for CISOs to keep up with the hackers; it’s just as important to keep up with the hacks.