Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Why seeking perfection in security actually increases risk

Michael Santarcangelo | June 9, 2016
Lance James shares experience and insights on the often hidden risk of chasing perfection with steps security leaders can take to avoid common mistakes

We've seen how rushed intel creates wrong decisions in politics, so why are we not learning from those mistakes?

This is why feedback, evaluation with your clients - meaning sitting down and fine tuning, and prioritizing their interests and requirements are essential for both a successful relationship when interfacing with intelligence driven services, as well as evolving together. People who hire intelligence service providers, again demand this type of relationship - because you will then not only get the best bang for your buck, but you will help the vendor constantly improve as well, which will benefit you strategically in the long run.

That biweekly conversation is the difference between guessing what is valuable while throwing something over the fence vs delivering precision-based actionable value every single time.  

You suggest it important to stop showing off. And that we should substitute showing off with something more important. What is that? 

As we just discussed, relationships are essential in intelligence, and in business. You walk through an IT conference (not InfoSec) and you can see how those relationships help each other. In the InfoSec world we have very little trust of each other and it's from top down we make our decisions on who we use and trust. Some security companies like to do what I call "stunt work", for example an APT report that only speaks to the services of the security company or doing some cool hack (be it a car, or whatever) to garnish quick tactical attention, yet again yelling at people to be secure? Are either of those really solving the problem? Especially when it says at the end of such materials, "For more information please contact sales@oursecuritycompany". How are we really helping - Protect first, sell second. Or in other words - solve a problem, the money will come.

Now to be clear, it's all fine as security companies to put out reports, and papers on your products and solutions, but it's really about whether those solutions truly solve a problem, not create more panic in our industry. There's a balance needed, and also ethical disclosure practices that have been around for 15 years now. Some of the reports themselves have only served to cause panic, (and to note, these are very few and far between in our field) but they do cause a cascading copycat effect to newcomers in our industry just trying to make a buck and not really selling anything of true value, such as "unbreakable encryption" offerings.

There are many ways to show your thought leadership - you don't need to draw a logo for the latest vulnerability you discovered or found on a client site because you do incident response for them.


Previous Page  1  2  3  4  5  6  Next Page 

Sign up for CIO Asia eNewsletters.