The last few days have involved me in a number of meetings with both vendors and end customers of all sizes. For much of the week I spent time at the Infosec security show in London but I also managed to squeeze in meetings with ProCurve, once again considering the security facets of its solutions. There was also opportunity to interact with some IT and information management customers considering various aspects of their use of IT and the business drivers. To cap things off nicely I was a panel member on the Lions’ Den session at Infosec where 6 innocent security vendors have their solution propositions pulled to pieces by a panel that includes professionals with very significant experience of what constitutes an acceptable, and operationally sustainable, security offering. It is fascinating to note just how much fun the audience takes in seeing vendors harassed.
Too many security solutions struggle to either correctly identify potential business benefits they enable. It is clear that even fewer appear to understand the restrictions that various facets of European and national legislation can have in limiting the usability of solutions found acceptable in North America. Perhaps most disturbing of all is the fact that many security solution vendors have little understanding of how acceptable business users find the impact of said solutions, often resulting in systems becoming less secure as a result of users taking deliberate solution avoidance tactics.
But the most disturbing element of all is that it is abundantly obvious that many security solution sellers do not appear to know whether the professionals of the IT industry who would be charged with system implementation and operation will be able and comfortable keeping the offerings running as intended in daily operations. In fact the response of some IT pros with whom I converse is that frankly too many security platforms either deliver too little in the way of benefit or are just operationally unsustainable.
Now in some ways it is unfair to identify IT security solutions alone as have having these failings. In fact many developments from vendors suffer from shortfalls in at least one of these areas, especially accurate identification of business advantage. But too many security solutions appear to suffer from limitations in all these matters. This is strange as “security” is no longer a novel concept. What is needed is for the vendors to really find out what challenges their potential customers are facing along with gaining a measure of what operational and user inhibitors are in force that could influence, positively or negatively, the take up of their offerings.
If those identified as a concern would cause them problems they must clearly address these issues. A good example is the matter of “white listing”; in such solutions the buyer must positively authorise all applications / sites / correspondents etc. in order for the user to be able to utilise it. If something is not on the white list it will not work.
Many organisations consider the burden that maintaining a credible white list to be too great and frequently try to avoid such systems. So if your solution depends on “white lists” it will be a tough sell to those who really do not want to be burdened with maintaining of such lists. So try someone else or re-engineer the solution. Of course actually making sure that you are solving a real problem can be useful research to carry out as well. Anyone want to buy a chocolate teapot?