Henry Ford's famous quote "The customer can have any color he wants so long as it's black." is echoed by many a network and security manager across the world. "Sure, get me a quote from Vendor X, Vendor Y and Cisco. Then they choose Cisco. Don't get me wrong. I like Cisco but they aren't the best for everything.
This article from Leadership Wired "The Challenge of Change" by John Maxwell. http://www.injoy.com/newsletters/leadership/content/issues/11_8/default.htm#1 spurred my thought process. How many times have you seen a similar situation played out in IT and Security?
In Ford's mind, producing multiple colors was foolhardy since black paint dried the fastest and could be used most efficiently. Amazingly, Ford did not comprehend the human preference for variety. Customers flocked en masse to other producers who catered to their color preferences, and Ford Motor Company never regained its grip on the market.
For so long, Henry Ford had focused on moving from inefficiency to efficiency that he refused to move in the opposite direction - from efficiency to inefficiency - even when doing so would have been wise and profitable. Ford's genius in sparking change had catapulted him to the pinnacle of American commerce, but later, his inability to change cost him dearly.
Often we get so caught up in the mind set that because it's Cisco (I don't mean to pick on them but they are the one that I've experienced this with the most) then it's the answer.
So how do we stay out of this trap and ensure that we are making the best choices for our business. First, we have to (this is getting redundant) know our environment, know our business, know our risk acceptance level, know our technical knowledge level, know what we are trying to protect and from who, know our budgetary limits. Once we have answered those questions then we can start to look at solutions. Evaluate them and make a choice based on what works best for you. If you don't answer these questions and just pick a solution based on who the vendor is, what it cost, it's the "industry standard", or how easy it is to deploy and maintain then you are not solving a problem, you're just wasting money.
It's our job and responsibility to make decisions based on what is best for the company. It's kind of like raising kids. Just because it's on the Disney Channel or Cartoon Network doesn't mean that it's what our kids need to watch. What is appropriate for a 12 year old isn't appropriate for a 5 year old and just because it's animated doesn't mean that it's good for any child to watch. The same goes for what we choose to secure our networks. Just because it's considered 'industry standard' or it's made by a big company doesn't mean it's good for us.
So if you've fallen into this trap step back and take a long, hard look at your selection process and refine it to best meet your needs. If it turns out that you still choose Cisco or whoever you would have chosen by "default" then that's great. However, if you discover that there are other vendors who can meet you needs better then you have a feather to put in your hat.
