Repercussions from one vendor's successful sale into the US Department of Defense are still being felt. "[This particular vendor] won the DoD contract. Then we start hearing from guys at various DoD installations saying 'Oh, God, this is horrible stuff. We can't use this,'" says the anonymous vendor.
Organizations whose C-level execs buy bundles do save money -- lots of it. Unfortunately, they often get "really subpar security; sometimes dangerously so," says the vendor.
But how to get that through the head of the C-level exec who's sold on a bundle? By getting security personnel in on the decision-making process, before the money has a chance to drift out of the C-exec's hot little hands.
Bob Maley's lucky that way -- his employer fixed the problem shortly before he came on board. Before he took on the job of chief information security officer for the Commonwealth of Pennsylvania in late 2005, the Commonwealth had developed an enterprise architecture process patterned after that of the National Association of State Chief Information Officers (NASCIO). Part of that process, now in place for some more than four years, is a clear set of standards for security product selection.
As Maley puts it, some other parts of the government may have unlimited resources to purchase security tools, but not his. So he and his group have gotten good at collaborating with peers -- not only through NASCIO but also through the Multi-State Information Sharing and Analysis Center (MS-ISAC).
Under the MS-ISAC, which is run through the US Department of Homeland Security, all 50 states share best practices. As well, the organization recently has hitched a ride on the federal government's SmartBUY purchasing initiative, designed to leverage the government's hefty buying clout to save money through aggregate purchasing.
What works for one sector -- the government -- in this case works for others: Network with peers, find out what security tools they use and trust, and find out which are clunkers to avoid.
But if it's not an option to cut your bundle-buying C-exec out of the picture altogether, salvation comes down to intervention at an early stage. Communication is key, and not the type of communication where security says "We have to use XYZ because I said so." Rather, security has to convert the geek discussion into a business discussion.
"I recommend that security get users to buy into them as people," advises Alvaka Networks' McDonald. "Do lunch and learn internally. Bring staff in, bring management in and have them understand why the things you're saying are being said."
That helps security pros to break down the "You're just in the way" barrier, McDonald says. "If you ask the employees and management,'So, I have these things I'm being told I have to do -- say, to secure PCI information, or to protect assets of the organization, and do other things mandated by government. What would you have me do if you were in my seat?'"
It's not formal training; rather, it's getting together and figuring out how to do the security task at hand.