Once upon a time we picked products that were best of breed. We bought Word from MS and Lotus 123 because each individual point product was the best at what it did. That made sense. This was followed by the paradigm shift to best of suite. The idea of best of suite was we paid less for an aggregate from one vendor the all the best pieces from the best point products. With best of suite we need to just make sure that each piece was not necessarily the best but “good enough”.
This makes sense in a lot of areas. Especially in operations like the productivity example above. We have long since gotten into buying security by best of suite and by vendor relationship. This leads to a question: how much product fat, crap ware, and vendor agenda do we have built in with this deal?
So minus the vitriol I have looked at a number of these suites and I wonder if we are doing ourselves harm
Free can be very expensive. Both at security vendors I have worked with and at competitors out in the industry we have seen the Ronco strategy. Do you remember Ronco? When you buy the salad shooter we will throw in a set of steak knives, a vegetable peeler and this (99.99 value) picture of the founder!
Each time our security vendors and consultants bring in ‘value add’ products and functions, even for no cost, they are a distraction. A bad vulnerability scanner is worse than no vulnerability scanner. It causes us to stop looking for flaws. In Security, very differently from productivity software, Mediocre does harm. Time spent in near-futile efforts of DLP and NAC causes us to use our best resources in a futile fashion. Time lost and productivity lost in a manner very similar to a penetrations in cost. We can spend forever just trying to get where we started. We disrupt the user environment, at least minimally, every time we add a new security tool.
Perhaps more insidious than the distraction of suites with pointless bells and whistles is the vendor agenda of the suites. We have previously discussed here why signature AV (and IPS if you really get down to it) are nearing the end of their useful life. Firewalls as we once knew them are near obsolete. Each vendor is presenting not only their products in the best possible light. They are projecting their ideals of the best way to secure our environments. What happens when vendor’s ideas get obsolete? Without slamming the security vendors of yester year we can all think of products that became bad investments. When we are buying Suites of security products we by necessary corollary buying the concepts and methods that go with them. It is not unreasonable to think a vendor would push their core ideology past its sell-by date as that strategy is their core money maker.
We have been adding of successive layers of security for a generation. Is it time to throw some of them away? Maybe the distractions and man hours of worn out tools are doing us more harm than good? Maybe, just maybe we are at the point where taking a deep breath and redesigning our data security environment and it will be easier to use and less extensive than patching the cludge we have yet again?
Is our best of suite data security model the analogy of the 1990 ford Winstar that we have been driving for years and is finally prohibitively expensive to repair one more time and it is time to finally by a new car?
I don’t know… but if it were my mission critical data I would be sure to find out.
