If you want to keep your company’s production data network reasonably secure, then keep your executives a healthy distance away from information security appliance salespeople.
I’m deadly serious, and not for the reasons you’re probably assuming. I like a good security information and event management (SIEM) tool as much as the next head of IT. What I don’t care for is the common belief held by non-technical executive types that a shiny new security appliance could do a human security expert’s job. It can’t. All of those lovely intrusion-prevention systems and log aggregators and alerting systems are wonderful security awareness tools, but they’re all useless without trained and savvy operators.
If it helps, think about your production network as if it were a medieval farming village: picture a bunch of smithies, carpenters, and other shops that provide critical services, people running about doing work that benefits the community, and well-marked roads leading in and out of town. If those roads are left unguarded, then any blaggard could sneak into town, break into an unlocked storeroom, and nick some valuables. If you only guard the city gates, then a baddie can run around for weeks causing havoc inside because no one’s paying attention. It’s a metaphor, but it works.
Most people want the security and stability that comes with living in a gigantic stone fortress, but those are hugely expensive – only the Fortune 500 global megacorps can afford to build impregnable castles. The rest of us have to make do with improvised, partial measures. That’s the security appliance vendors’ niche: they provide a cost-effective solution for significantly improving your meagre defences. In our village metaphor, they offer to build you a tall and sturdy watchtower in the centre of town. From there, your watchmen can survey the entire community, thereby allowing them to spot suspicious activity to help thwart the occasional evildoer. It’s a practical solution for most companies’ security situations.
Where the appliance solution inevitably falls apart is after the SIEM watchtower gets erected in the village green. “We have a security appliance,” the mayor announces. “Therefore we’re safe. Everybody get back to work.” The trouble is, the mayor neglects the most important part of the equation – there’s no one stationed inside the tower to keep watch. The baddies then saunter in and nick everyone’s valuables without difficulty.
If it seems I’m oversimplifying things, please understand that I’ve seen this exact scenario play out at far too many medium-sized businesses in real life. I recently interviewed the CISO of a multi-billon dollar company about how his team leveraged his monitoring kit. He sheepishly admitted that his company had spent oodles of cash deploying them, but that no one on staff was tasked to monitor them. The appliances sounded the alarms 24/7, but no one received the alerts. The deployment of SIEMs had made their executives feel good, but accomplished absolutely nothing. They were worse than useless.
That is not the fault of the security appliance manufacturer. Most of the ones I know make good products that can be wickedly effective when properly employed. Their function is to arm up a well-trained security team with tools optimised to aid security incident detection, response, and management. What many executives miss is that the security people are the critical elements in the equation; you cannot make security work effectively without them.
When it comes to systems security, start by hiring, resourcing, and empowering a savvy infosec team. A watchtower is useless without a watchman; a security appliance is equally useless without well-trained security analysts monitoring it.