Just for fun, I decided to count how many unsolicited emails I got in a 24 hour period offering to either fix my security problems, fix my network problems, fix my management problems, fix my compliance problems or train me to do all of the above.
Most of them required me to either attend a webinar or set up a conference call, usually for an hour, so that they could help me with the problems that they know that I have.
To find these nuggets, I had to go through the 700 emails that I had gotten in that 24 hour period, to find a total of 55 very important, life changing events that I could participate in.
If we assume that this was a bad day (it wasn’t) and on a normal day I would only get about half the number, it would still amount to almost 23 hours of death by webinar.
The sad part of this story is that this does not include the numerous phone calls from other vendors also trying to sell me something.
If only they could all produce the promised results – we could all buy a few of them, and then sit back knowing that all of our security woes were being handled by the latest and greatest shiny thing.
Unfortunately, as all real security folks know, there is no silver bullet that will fix all of the problems. Real security, in my experience, requires more than a shiny object – and buying a product, or lots of products, will not create a secure environment, as evidenced by the major security breaches that are reported almost daily in the media.
If you need some guidance on developing a good security program, just read through some of the articles in the CISO Journal (skipping mine of course, unless you are looking for entertainmentJ). The real answer to security is to fully understand your environment, your business, and the problems you are trying to solve – then creating a customized, one size DOES NOT fit all set of programs and tools that accomplish your goal.
In my opinion, the secret sauce in our security program is in the software that we have written. I do not think for a minute think that everyone can duplicate what we have done, but I really do believe that if you completely depend on commercial solutions for all of your security needs, you are placing your environment in jeopardy.
I am sure that the bad guys own one of every shiny object and have spent much time and effort looking for the weak spots (and there are weak spots in all of them). Build your security system out of commercial parts, but make sure that you do something that is not in the box – never use a default configuration for everything.
I give everyone permission to disagree with me on this, but in my humble opinion, I believe I may be on to something. I may be crazy, but I’m not stupid J