Security Solutions – is it a Process or a Commodity?

So you go to your next security conference and what will you most likely find? Most likely you will see many sellers of security in a box? Not always but much of the time, FUD is the technique used for selling their solution. FUD is commonly known in the information security community as fear, uncertainty, and doubt.

Who are the buyers of such security solutions? To most salespeople, the buyers are whoever has the money and the need for their product. Most buyers of such security solutions are influenced with a FUD strategy and maybe that will help the buyer feel good about their purchase. But it will only provide a secure state of mind unless there are defined security processes in place that are being made more efficient by the product.

Operations security (OPSEC) is a part of a layered defense program that keeps the business running securely. All of these controls should be considered a part of the operations security process because they must be audited regularly to evaluate their efficiency and changed when determined necessary by a risk assessments.

Technical controls: Standards for system hardening, passwords, encryption standards, anti-virus and anti-spyware, Firewalls and IDS/IPS, and general use of hardware and software to mitigate risk.

Physical Security: Limit physical access to systems to a select few and only those who need it. Equipment should be in a controlled environment with regulated temperature, power, and ventilation.

Managerial or Administrative Controls: This includes policies that require the aforementioned controls. This includes policies requiring background checks and segregation of duties. The security policies must be communicated through security awareness training for all stakeholders: owners, custodians, and users.

Vulnerability and patch management is one area that falls between administrative and technical controls because there needs to be a patch management process that defines the acceptable timelines for patch deployment before enforcement through technical controls should be implemented. Additionally, audits should be focused on determining the efficiency of either technical, physical or administrative controls.

Security should be considered a process in any organization and therefore, any product that is purchased should be done so to improve that security processes. Many organizations have created a false sense of security after installing a firewall without hiring a knowledgeable firewall administrator and defining a process to control its updates and configuration changes. However, a robust cyber security program is more than a collection of techniques and technologies put together in defense of a network. A sustainable security program must bind these into a cohesive framework driven by risk and compliance, and supported by assessment and training with the common goals of protecting the confidentiality, integrity and availability of information.