This interview was a lot of fun because I noticed in talking with CIOs that they are buying security products with the best of intentions, but they end up being abandoned, not fully deployed, nor benefits realized.
Javvad Malik was a Senior Analyst in the 451 Enterprise Security Practice (until 1 month ago), providing in-depth, timely perspective on the state of enterprise security and emerging trends. Now he is working for Alien Vault as a Security Advocate. I talked with him recently and here is what you will learn:
- What factors contribute towards security shelf’ware and what can be done by both vendors and enterprises to avoid this happening?
- If it has happened how can you reverse it?
- What are the top security products that end up on the shelf or marginally used? See pdf here Slide 7
- Vendors are motivated to say that their software is the easiest to manage and install. There is little motivation to say, “to successfully use and integrate this product you must budget another 1.5 headcount”.
- Why are security products not being used – and why are they ending up in the shed? [3:30]
- Are the products really that bad that they are selling them in order to make a quick buck – or is there something fundamentally flawed in the way they are procured or the way enterprise is used [04:00]
- The top leaders and why they are the top shelf products [07:24]
- The products are monitoring – but they are not sure what to do with it. [08:31]
- Compliance based reasons for purchase – PCI Auditor [09:14]
- Is compliance going to stop approaching this from a check box, and start asking meaningful questions [09:33]
- Auditors don’t understand the technologies very well. A dance between the enterprise and the auditor – who can pull the wool over whose eyes the best [10:15]
- Why do people partially install SIM. [10:52]
- Skills gap – you need someone who can understand and articulate why certain actions are important [11:15]
- One of the senior staff (CIO or CISO) might be on a 3-5 year stay and a successor comes in and they will normally scrap half the things the predecessor put in place [12:02]
- A huge disconnect between what a vendor considers reasonable and what an enterprise considers reasonable in the amount of resources needed to run a product [12:20]
- The theories and practicality of implementation vary greatly, particularly in large organisations which are like Frankenstein IT developments which have come about through various mergers – it adds to the complexity. [13:00]
- The needs to put up the band aids over all of your hulls to get it to work pushes up your resource requirements significantly. [14:12]
- Large organisations – their biggest challenge is their size and complexity. [15:12]
- Something as simple as determining size and real users which should be really easy to figure out – becomes quite complex for them. Then figuring out where the advanced threats are – well good luck with that. [17:32]
- Technology is the lowest rung. It starts with the people. Then move to the processes.
- You can get a lot of security done without technology or very low source technology. What you can’t do security without is the people and the processes to support that. [18: 34]
- In organisations we need a cyber militia – needed. [19:21]
- Cloud Security – from SIEM and Log management. Is there an opportunity for Cloud MSSP Vendors to step into these roles where this can be outsourced? [20:35]
- Some of the functions that were in the Cloud were taken back in house – but actual SIM monitor or core SOC functionality is a slowing trend primarily due to the service provider not knowing this well enough. Trend will be going back to the Cloud or Security Firms but there will be a lot of effort needed to make this work successfully from both parties. [22:05]
- Vendor issues that causes product to sit on the shelf vs. User created problems that causes products to sit on the shelf?[22:58]
- Usually sales people over promise and customer support is really difficult. [24:00]
- But major problems are on the user side. [24:10]
- It’s a long process. Average buying cycle is 12 months. [24:40]
- Having that future vision and strategy is really important wen buying anything [24:55]
- Basically three types of recovery tips – what are the most important? Return on reporting and see what sticks [25:25]
- Didn’t you read the manual – who reads the manual?? [26:28]
- Re-engage the vendor – not the sales rep but the technical support rather than the sales rep [27:12]
- Investment on part of vendor – but returns are huge. [28:03]
- More information on how to contact Javvad and his accomplishments[28:55]
Who is Javvad Malik?
Prior to joining Alien Vault and 451 Research, Malik was an independent security consultant, with a career spanning 12+ years working for companies including NatWest Group, Royal Bank of Scotland Group, Halifax Treasury Services, Tesco Bank, Lloyds Banking Group and BP.
He is an active blogger, event speaker and possibly best known as one of the industry’s most prolific video bloggers with his signature fresh and light-hearted perspective on security that speak to both technical and non-technical audiences alike.
One of my favorite funny quotes from his talk at RSA on this subject was an indictment of Enterprise software overall but I think is indicative of the landscape we are in as it relates to purchasing and successfully integrating complex security software.
Favorite Quotes from this episode:
- You can’t scale QSA auditors so this will impact their ability to bring consistency to their oversight job
- The CISO credibility is a big challenge that needs to be solved
- Size and complexity is the biggest issue with managing security infrastructures
- Some companies still don’t really even know how many users they have? Nor how many consultants work for them…
How to learn more about Javvad:
- His articles regularly feature in online and print media.
- He is a coauthor of The Cloud Security Rules book and also a CISSP companion guide.
- Javvad Video: Which products are gathering dust in the shed and why?
- To follow Javvad on Twitter: J4vv4D
- 2014 RSA conference on this topic presented by Javvad
- His website: http://www.j4vv4d.com/
All methods of how to access the show are below:
- Listen on iTunes (for iPhones etc.)
- Listen to it on Stitcher (This is for Android Phone Users. Download the Stitcher app here)
- Stream it on Libsyn
- Listen to it on Soundcloud (This is for listening via PC/Mac Browser)
- Please subscribe here to Bill Murphy’s Redzone Podcast on iTunes.
- Subscribe to my RSS Feed here.
- Link to LinkedIn blog post
Bill is dedicated to your success as an IT Business Leader. Sign up/Subscribe for weekly podcast, CIO Mastermind and CISO Mastermind updates delivered to your inbox easily and effortlessly: Follow Bill on LinkedIn and Twitter.
Leave a podcast review here