Thursday, February 21, 2008

Incorrectly Defining The Problem Based On The Solution

Imagine this. You walk into your Doctor's office because you feel you may have a problem, and he reaches into his drug cabinet and pulls out a few bottles of drugs, tells you what they treat, and then gives them to you and says "That should take care of the problem!" He does not look at your health history, ask you any questions, check any vital signs. He just hands you some drugs (mind you, they are very effective drugs for the ailments they treat), and wishes you well. Oh, and he also delivers a hefty bill for his services. The doctor has a nice office and plenty of framed certificates on the wall, so he must be good. Time to start popping those pills!

You might get lucky. Maybe your health problem is treatable with one or more of those drugs, and it all works out. Then again, maybe your problem has nothing to do with what those drugs are meant to treat. Of course, you don't know this until it is too late. After all, you paid good money for the advice of the doctor with the fancy office and certificates all over the wall. Who are you to question the validity of his judgement ?

Of course, most of us are a little more careful with our health than this. We have come to expect a little more due diligence from our healthcare providers. We expect to have our vitals checked, records looked at, and some sort of sensible diagnosis before receiving treatment.

Security, however, is often handled in the manner first described. Organizations often blindly trust the security vendor's suggestions with almost no understanding of the problem and, more often than not, no discussion of requirements. Security vendors love to talk bits, bytes, standards, and certifications in an attempt to establish credibility. Sadly, this is often quite effective as a sales technique. Sometimes the security vendor's products solve some, or even most of the problem. Sometimes it just ends up being a very expensive mistake, which leads to a false sense of security, which is worse than no security at all. If you have no security, and know it, at least it forces you to pay attention. Blindly trusting a security system which does not deliver on the promise is a sure pathway to destruction, much like taking drugs for an illness you don't have.

No comments: