It’s January so lists and predictions abound and most of them are just fun with prognosticators having no real stake in the accuracy of their predictions. One trend that caught my eye was the prevalence of lists in the security space that were focused on product vendors and “hot” product companies. Dark Reading’s list of “20 Startups To Watch In 2015” and CRN’s list of “Top 10 Security Vendors To Watch In 2015” were both dominated by product companies. The focus on products implies that CIO’s and CISO’s are yearning for even more tools to spread across an already thin staff and that’s not been my experience at all.
I understand the focus on products; they offer a simple way to answer most security questions. Oh you lost data; you need a Data Loss Prevention tool. Lost a laptop with proprietary data, buy an endpoint encryption product. Having trouble finding incidents on your network; you need a Security information and Event Management tool. The list goes on and on. This product focused mindset that dominates our industry is part of the problem.
In fact just last week I was in a CIO’s office who’s views on the rush to buy products summed up in one sentence what I’ve tried to articulate here. He told me “If one more person tells me I need to buy (Vendor Name Redacted) I’m going to throw him out the window.”
The answer, find a security services partner that can integrate and optimize what you already own and enable you to tell the security story in business terms. Take your next meeting with a services company and see how much more focused the conversation is on your problems and possible solutions rather than someone else’s pre-existing solution in the form of a product. Obviously I believe this because of my personal experience as a former CISO and the weekly conversations I have now with CIO’s and CISO’s as their services provider but I’d invite you to see for yourself.