Anyone who has ever been responsible for the research, approval, or purchase of a "security system", whether it be a spam filter, web filter, antivirus software, firewall, NAC, or any one of a plethora of other options, probably knows what a daunting task it can be. Dozens of vendors vie for your attention with dozens of options for each product they offer, and examining every detail of every option of every product is pretty much impossible unless you have a full-time team dedicated to nothing but product analysis and testing. For smaller shops, there should be a way to make a few educated decisions about which vendor is best suited for company needs. Note the word "suited". When considering a product or vendor, it's all about "suitability".
Just like the stock market.
As a relatively new investor to the stock market, I did some research into several companies, put a small investment down with a limited number of shares into a limited number of companies, and now hope that my investment will grow in the coming months and years. When considering how to invest money in stocks, there are a few factors to think about: quality of the company's stock, price per share, and who I would trust as an advisor to handle my investment. Other factors to consider might be company management, competitiveness, and how they can sustain their position in the marketplace. I also asked for advice about my ideas from friends and family who clearly have more knowledge about investing than I do, and took their thoughts into consideration before placing my first "buy" order.
By my own estimation, I have about 400 times more experience in the security industry than I do as an investor in the stock market. Over the last week, my stock purchases have been watched with a curious fascination, but I also began to see a correlation between my financial investments and what can be done to assess vendors of security-related products. During the day job (and yes, I actually have one), an intern questioned me about product selection and how to assess which vendor or product would be best for our company. In the end, it seems to come down to three things:
Just like the stock market, security systems (as defined by but not limited to those listed above) might follow the same investment pattern. If any one of the three considerations fails a basic test, the investment could be considered flawed unless that area is considered to be an "acceptable risk" when evaluating the other two areas. For instance, there might be a top-breed solution with top-line support, but if the financial cost is outside of budgetary limits, that solution might be disqualified. In another case, an inexpensive solution might exist with excellent support, but the product itself is somewhat shoddy, which might cause the solution to be disqualified. Then again, there's always the chance that a great product with great pricing might have abysmal support; while this might be considered to be acceptable by some, lack of support could affect overall financial results (think: loss of man-hours spent resolving an issue) and even the product itself (upgrades and patches).
There's also another factor to consider:
Lyger (10/31/2008 5:58:11 PM): What things do you look for when considering a security product in a corporate environment? Jericho (10/31/2008 6:18:31 PM): I dont, they all suck. Lyger (10/31/2008 6:26:34 PM): Such a pessimist. Lyger (10/31/2008 6:26:59 PM): Three things: product (quality), price, and support. Lyger (10/31/2008 6:27:11 PM): Take any one of those away, it should be a dealbreaker. Jericho (10/31/2008 6:27:39 PM): Product security. Adding vulnerable "security" software to help me "secure" something is a turn off.
Attrition.org's "security companies" page lists several "oopsies" for security companies that ironically failed in their efforts to actually secure either other systems or their own systems. When considering product suitability, it seems easy to overlook the security aspect of the product in question. Some of the biggest names with the most popular products in the security industry space also have some of the most publicized and most egregious errors in their own products. If you're not sure whether or not a particular security product has any known issues, a quick trip to OSVDB might be worth your time.
As mentioned before, smaller shops may not have the time or resources to consider each and every option available to them while shopping around for a "solution". When product, price, and support are taken into consideration, it's very much like the stock market. If you desire a full service broker/dealer, your investment in support may offset any losses in product and price, but that's just like dealing with companies selling security products. Let the buyer beware, especially if you haven't done your research first. There are tons of free options available for online research... use them! If you want a great price, you may be willing to sacrifice product quality and support. For blue-chip products, you might pay a little more and be willing to "do it yourself" without any help. The markets seem to be very similar, and depending on how you approach your purchases, you could end up in either a gain or a loss situation depending on your needs, goals, and overall suitability. As one friend says, "do more of what works and less of that doesn't." That particular advice is wise for not only investing your own money into your own future, but also investing in security "solutions" that may or may not fit your own needs or environment.
Product, price, and support. If you're faced with something that's not working, you can make a change, but do your homework and take those three things into consideration before investing in any product or service. That idea seems to work not only with financial investments but security product and vendor assessments as well.
Copyright 2008 by Lyger and Attrition.org. Permission is granted to quote, reprint or redistribute provided the text is not altered, and appropriate credit is given.