Why Your Vendor Doesn’t Want You to do Risk Analysis

Thursday, June 23, 2011

Danny Lieberman


Did you ever have a feeling that your IT integrator was treating you like a couple of guys selling you a Persian rug?  

”Take it now – it’s so beautiful, just perfect for your living room, a steal  for only $10,000 and it’s on sale.”

And when you ask if it will last, they tell you, “why do you want it to last? Enjoy, use it in good health, wear it out quickly and come back to the store so that we can sell you Persian Rug 2012″.

I had a meeting with a long-time client recently – I’ve developed some systems for them in the FDA regulatory and clinical trial management space. We met for lunch to discuss a new project which involved an extension to an existing multi-center study.

The question of secure backup came up and  they asked me what I thought about backing up their clinical trial data together with their office file backups taken by their outsourcing IT provider.

I said this is a very bad idea because while their IT contractor specializes in providing Microsoft Windows/Office support for small businesses, they just don’t have the know-how or security expertise for HIPAA compliant data storage.

In general, small business IT integrators are behind the curve on data security, compliance, disaster recovery and application software security. Their job is to keep Microsoft SBS running smoothly and install anti-virus software, not mitigate data security and HIPAA compliance attacks. The typical SMB integrator mindset is dominated by the Microsoft monoculture, and I would not expect them to be able to analyze data security threats correctly.

Whenever I go somewhere – I’m always looking at things with a security perspective – open doors, windows – things that could be easily lifted. Who might be a threat. Storing clinical data with a bunch of Microsoft Office files is just too big a risk to take.

The CEO accepted my recommendation to encrypt data on a secure, hardened virtual server instance in the cloud and monitor potential exposure to new emerging threats as their application and project portfolio evolves.

After lunch and getting back into the office, I realized that Risk analysis is a threat to IT vendors.

Not every security countermeasure is effective or even relevant for your company. This is definitely a threat to an IT vendor salesperson who must make quota.

I am a big proponent of putting vendor suggestions aside and taking some time to perform a business threat analysis (shameless plug for our business threat analysis services,  download our free white paper and learn more about Business Threat Modeling and security management).

In a business threat  analysis you ignore technology for a week or 2 and systematically collect assets, threats, vulnerabilities …and THEN examine the cost-effective security countermeasures.

Your vendor wants to sell you a fancy $20,000 application security/database firewall, but it may turn out that your top vulnerability is from 10 contract field service engineers who shlep your company’s source code on their notebook computers.

You can mitigate the risk of a stolen notebook by installing a simple security countermeasure - Free open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux.

Information security vendors often promote their backup/data loss prevention/data retention/application security products using a compliance boogeyman.

The marketing communications often reaches levels of the absurd as we can see in the following example:

NetClarity (which is a NAC appliance) claims that it provides “IT Compliance Automation” and that it “Generates regulatory compliance gap analysis and differential compliance reports” and “self-assessment, auditing and policy builder tools for Visa/Mastercard PCI, GLBA (sic), HIPAA, CFR21-FDA-11,SOX-404, EO13231 government and international (ISO270001/17799) compliance.”

A network access control appliance is hardly an appropriate tool for compliance gap analysis but asserting that a NAC appliance or Web application firewall automates SOX 404 compliance is absurd.

Sarbanes-Oxley Section 404, requires management and the external auditor to report on the adequacy of the company’s internal control over financial reporting. This means that a company has to audit, document and test important financial reporting manual and automated controls.

I remember the CEO of a client a few years ago insisting that he would not accept any financial reports from his accounting department unless they were automatic output from the General Ledger system – he would not accept Excel spreadsheets from his controller, since he knew that the data could be massaged and fudged.

If there was a bug in the GL or missing / incorrect postings he wanted to fix the problem not cut and paste it. Appropriate, timely and accurate financial reporting has absolutely nothing to do with network access control.

But the best part is the piece on the NetClarity Web site that claims that their product will help “Deter auditors from finding and writing up IT Security flaws on your network”.

And I suppose this really proves my point best of all.

Information security vendors like NetClarity do not have any economic incentive to really reduce data security and compliance breaches that would reduce  sales, making it better business for them  (not for their customers) to sell ineffective products.

This raises an interesting question about information security business models – but that’s a topic best left to another post.

Cross-posted from Israeli Software

Possibly Related Articles:
Enterprise Security
Service Provider
Microsoft HIPAA Compliance Risk Assessments Vendor Management Sarbanes-Oxley
Post Rating I Like this!
Ryan Thomas couldn't disagree more. as a security software vendor, i know that i can continue solving my customers' security issues with effective new products, and that new threats just keep coming. the more effectively i can solve today's pains, the more likely they will buy from me when the next threat arises. the example you gave re: netclarity is valid but only illustrates vendors' tendency to overstate their products' capabilities ~ a real but separate issue.
Danny Lieberman Ryan

First of all that's good to hear.

Here is what I think - and I talk from experience from 3 perspectives - customer (IT infrastructure manager at Intel), DLP solution provider (Fidelis Security and Verdasys partner) and independent software security and compliance consultant (Software Associate).

A very smart but cynical CEO of one of my best clients once told me what he thinks about security product vendors: "The good vendors look at your watch, tell you what time it is and invoice you. The bad vendors give you the time of day, rip off your watch and run with the money."

Granted that this is hyperbole and extremely cynical generalization but it reflects in a sense the state of the information security industry.

On a macro level, the information security industry does not have an economic incentive to reduce the number of security breaches/incidents. If they did, they would be selling less.

Overstating product capability runs rampant in the information security industry, the marketing collateral often appears to be written by a second year English major who never installed a real product in his life.

On a micro level, the best data security solutions I've seen have been implemented on very well defined use cases utilizing a very small feature set of the product.

The question is not threat mitigation.

The question is cost-effectiveness.

Most clients and vendors are incapable of doing a value at risk calculation and cost-justifying their security portfolio simply because they don't collect the metrics and/or have the capability to do so.

If you can show that your product is cost-justified - you're
Danny Lieberman Sorry hit the send button way too fast ;-)

I think that security software vendors that have the capability to do a BUSINESS threat analysis with their customers and show how their product is not only the right security countermeasure for a particular threat or class of threats but also how it should prioritized and more cost effective than the alternatives -

that vendor has a tremendous advantage over the Symantecs of the world

Contact me off list- love to hear what you're doing

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.