Sunday, July 4, 2010

The Importance of Trusted Relationships

As a security professional, I have had the opportunity to work with many different companies in the ever expanding world of security. Some of these companies have been very large (multi-billion dollar companies), and other have been quite small. The larger companies have the dubious distinction of being able to pour enormous amounts of marketing dollars into convincing the world that they are at the leading edge with respect to security. Unfortunately, this is absolutely no indicator whatsoever of the security posture of a company. In fact, as I have discovered on more than one occasion, some companies will opt to spend enormous amounts of money on everything EXCEPT building better security, hoping to convince their potential customers that they are the right choice to go with.

I think it is no big secret that many corporations seem to have no problem "embellishing" when it comes to the information they choose to share with the world. We have all seen enough of this at this point in our lives to know it is "just the way it is" in the world of business. We simply accept the fact that some companies choose to create their own versions of reality, and make choices to do business with them despite what we may believe about them. For example, we may not believe that an oil company is as committed to safety or environmental soundness as their public relations department may say they are, but we still choose to buy their petroleum products.

The fact is, most of us are not overly concerned about an oil company's safety record or what they are doing to make our environment better when we purchase fuel. If an company does not have a good safety record or destroys our environment we simply do not make the connection between that and our lives when we are at the fuel pump. We have other things on our minds.

With other products, it is perhaps a bit different. If a company that produces food or drugs is found to be acting in a scandalous manner, we tend to become a bit more nervous (perhaps more with drugs than food). Finding out that a drug company is being run by a bunch of corrupt and non-trustworthy people may indeed be cause for concern (at least it would be with me). At a more granular level, finding out that my personal physician is seedy lowlife would certainly make me ask my HMO to provide me with a new doctor. The fact is that when we are forced to trust our lives to a company or person, we want to make sure we are dealing with PEOPLE who can be counted on.

You see, dear reader, an organization is portrayed as being an entity (i.e. a corporation), but we all know that the organization is ultimately a collection of people. Despite the attempt by such organizations to make it about the entity, it is always the people who make or break it.

This certainly holds true in the world of security. When it comes to security products (i.e. security hardware), there are many companies to choose from. In fact, most of the security hardware available today (such as security chips) have become a commodity. When I speak to vendors of AMI (Smart Grid) products, or to organizations interested in implementing security products in health care organizations, one of the first questions that comes up is "How stable and reliable is the company making the security products?".

Organization who are making decisions about security products are transitioning from those who simply wanted to look like they were doing something to ones who are expending resources on products and services that do what they are supposed to do. This is largely driven by the nearly insatiable appetite the hacking community seems to have for breaking down security systems. When I present a security product line to a company, they ask a lot of questions. This is a welcome departure from several years back, when a company simply asked us what they could buy that fit within a given budget. Today, they want to be sure they are making the right decision for the long haul.

What I have found is that is seems to be very important that the organizations making security decisions trust the organizations they do business with at a much deeper level than ever before. I have intimate one-on-one discussions with security professionals and decision makers in companies who literally want my opinion of the companies I represent. They ask questions like "Do you think these guys are going to be around a while?" and "Are they trustworthy?" and "How do you find them compared to Company B?".

While remaining as tactful as I can, I always tell the truth, because these days most people I speak to in the security world VERIFY what I tell them. I know this because on more than one occasion I have had them return to me and say "I checked out what you said, and found out it was true." At first, I was taken aback by this (at least momentarily), but now I find it absolutely refreshing. In fact, sometimes I take the time to send citations for the claims I make, in order to make it easier for them to verify what I tell them.

You see, ultimately security is built on trust. The character of the people who make up an organization is as important (if not more important) as the products they build. Once I begin questioning the integrity of the people who make up the team of a security organization, I question the stability of the company, and ultimately the products they build. Anyone can build a security product line, given the right resources. However, it is only companies with integrity can build a security product line they can stand behind, and no matter how big or small the company may be, that is what I believe everyone should look for, and it always starts with the people.

No comments: