Security Slide Rules

Friday, June 29, 2012

Wendy Nather

Ebe141392ea3ebf96ba918c780ea1ebe

In my time as a CISO, and now as an analyst, I've seen more vendor presentations than I can possibly count. 

Over time, I evolved a set of rules that you may want to know about if you're going to share a slide deck with me.  

Here are the required elements:

  • First off, there must be a slide talking about The Problem We All Face, and indicate that it’s a scary, scary world out there.  Otherwise I would forget why we’re all here. 
  • Next, there must be a conceptual  slide that includes icons of people, the cloudernet, and either monitors or CPUs.  Extra points for locks, or creatively drawn bad guys.
  • Add a chart of your company’s growth with the arrow pointing skywards on the right-hand side.  Don't include any numbers or units on the axes; those details are irrelevant.
  • There must be at least one circle-shaped process flow, indicating that the customer will never be finished using your product.
  • Don't forget the obligatory page full of customer logos (whether they approved the use or not).
  • And tiny screenshots of your product, which I cannot possibly read.
  • Compliance.  The word compliance has to be on there; otherwise I’m not reading it.  APT is not a one-for-one substitute, although it’s close.
  • You must show your boxes replacing your competitor’s boxes in an abstracted network diagram.  If your product is only software, you should still use boxes.  Virtualized appliances should be depicted by cloudy boxes.
  • Please include some fancy transitions or build sequences so that I can watch them break, or miss them altogether, during an online presentation.
  • And finally:  I cannot take your presentation seriously without military references, a fortress metaphor, or an onion metaphor (depicting defense in depth).

Now, if you're feeling especially ambitious and would like bonus points, I would love to see:

  • The classic "risk = vulnerability x impact" equation.  I just can't get enough of that one.
  • Carefully chosen quotes from a couple of bank customers saying how wonderful your product is.  Because I hadn't been planning to buy until I saw those. Banks always know what they're doing.
  • A description of your bad-ass threat researchers, whose continuous stream of published vulnerabilities and exploits makes my job as CISO so much easier.
  • Add a percentage figure to your "low false positive" rate.  Better yet, make it zero; that saves us all time.
  • A reference to Kevin Mitnick is just the cherry on top.

Thanks for tuning in, and I look forward to the next 24-megabyte PowerPoint file in my inbox.

Cross-posted from Idoneous Security

Possibly Related Articles:
8777
Security Training
Information Security
Humor Enterprise Security Marketing Information Security FUD Professional vendors Presentation
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.