Security's Everyman

Security's Everyman

Wednesday, December 31, 2008

Farewell 2008

I hope everyone has a great New Year. 2008 was a interesting year to say the least. Let's hope that 2009 keeps us on our toes and that it's one where we kick some bad guys butts. :)

Thursday, December 18, 2008

Manageing Expectations

I've been dealing with sales people most of my career in technology. When I first got started in the field I had to deliver on the promises that they made to the customer. That or try to explain why what the salesman told him didn't really mean what he thought it meant. Then I moved into a position where I had to start dealing with them as the customer. I learned early on that some would do anything to make a sale. They would say anything, talk to anyone and that the price could always get a little better. Then there are those who were up front with you and who seemed to really have your best interest at heart. They are the ones who aren't afraid to tell you that their product doesn't meet your requirements. They will tell you that they can maybe get special pricing and it isn't tied to you making a decision today. They are the ones who really seek to know your environment so that they can recommend a solution that will honestly work for you.

Alan says that the problem that exists between sales and client is that neither really takes the time to understand the other. While I think that it will be beneficial to all parties for that to happen I don't agree that the problem lies there. I must say that most of the sales people that I've dealt with have been quality sales people who are good at what they do because they do try to understand their clients needs. I also think that whereas I may not truly understand the life of a sales person I do understand that they are dealing with their own set of challenges. I understand that they have to sell if they want to eat and keep their job. How can I best help them? By managing expectations. When I talk with someone about their product I try to be upfront with them if there is not a fit. I also try to be upfront with them as to when I may be ready to make a decision.

If I'm looking at deploying a solution whether it be vulnerability management, database monitoring, AV or anything else I will start gathering information several months in advance. Why? Because I've got several projects that I'm working on and I've got to ensure that the solutions work together and not against each other. Also I may actually do a eval way ahead of time just because it works for me to do it then. What I've noticed is that some sales people take that to mean I'm ready to buy. Even if I tell them that the project is months down the road. I try to manage their expectations so that they aren't investing lots of time in something that isn't going to happen for a while. If they are smart they will step back, stay in touch and be patient. Some have actually gotten upset that I was looking that far out and when I reached out to them closer to time they wouldn't submit a quote.

I've also learned that I need to manage their expectations once I've made my choice. This is something new to me because for the first time in my career I work for a company that has a procurement department. Always in the past when I made my decision I submitted it to Management and if they approved it then the order was placed within a few days. Here things are different. I make my decision, go to Management for approval and then it goes into the abyss call procurement. Once there all sorts of things may happen and then usually it emerges on the other side with a PO attached. That process can be anywhere from a couple of weeks to months but for me it had always been 6 to 8 weeks. Based on this I told a Account Rep that we should have no problem getting a PO cut by a certain date. That was my mistake. The date came and went and the PO was no where to be seen and procurement wasn't talking. The problem is that I had gotten VERY aggressive pricing on this and the Account Rep was new with the company so when the order didn't materialize within the set time frame her boss started to question her judgement in believing my reasons for wanting such aggressive pricing. If she had been not been new then her boss probably would have just said something like "Don't be so gullible next time", but in this case it was more like "Did we really make a good choice in bringing her on?". Of course I felt terrible because all of this was based on my lack of managing expectations. I've since learned that I need to do a better job of this. Actually that is what I was trying to do with the sales person that I'm now unhappy with. Yet in this case she wants to set herself up for failure instead of allowing me to try and help her.

So, yes we could all benefit from understanding each other better but more importantly we can all benefit by being upfront with each other. If I don't want to talk or don't have a need then so be it. If I tell you "Call me later" then that's what I mean. If you tell me your product can do X then it really better be able to do it without me having to jump through hoops. If it can't do it then just say so.

How about this. I know that my blog is read by techies, managers, sales, PR, and others. If we want things to work better than take my advice be honest, manage expectations and work together. Quit putting sales people off just because you don't want to deal with them. Tell them "not now call me in X weeks" or "please don't call me, I'll call you when I'm ready". Then when we do tell sales something they will believe us and not feel like we're giving them the runaround. For those of you in sales if we can call next month then call next month. Don't be pushy, don't try to tell us that you can "help" us speed up procurement. If we tell you that there is no way to get this done by the end of the month quit pressuring us with the latest deal of the moment.

One last thing. @anton_chuvakin made a comment on twitter yesterday that went something like this "XYZ "software suite is the most powerful and comprehensive system... in existence." Some people who do marketing are stupid :-)" I replied back "I had 27 sales people tell me that about their product last week" then Dr. A replied back with "well, all 27 were repeating what 1 marketing person told them :-)" I figure that one marketing person was Rothman. :)

Wednesday, December 17, 2008

Let the throw down begin!

Today Alan Shimel took me out to the wood shed and spanked me! So all in the spirit of good fun we're gonna go toe to toe and work this out.

My job here is to manage the security program. Part of my responsibilities are to evaluate products and make recommendations based upon the defined requirements and the ability of a product to meet those requirements. My CIO's job is to manage the entire IT organization and make sure that what we do matches up with the business requirements of the company. He does not evaluate and recommend products. If a sales persons goes to him he sends them the the appropriate department to talk to the SME.

Alan asks "But also who dropped dead and made Andy the single point of contact?"
Andy answers "My CIO made me that point of contact (although he is still living). At least until we are ready to move forward and his input is required.That does make me a gate keeper of sorts but only because that how we do things here."

Alan asks "Is Andy not only making the technical decisions but the business and financial ones as well?
Andy answers "No, I'm not making the business and financial decisions but I do have significant input into the role of security in the business. That is what Security Managers do. They are given information regarding business needs, goals and requirements and they make decisions and recommendations based upon them.

Alan asks "Is Andy the person signing the checks?"
Andy answers "Again, No. I do work within a budget and also part of my job is to ensure that we are spending our budget dollars wisely. So, that's kinda like saying what checks get signed.

Alan says "Here is what I have preached to sales people for years. It is imperative that they multi-thread into an account. Knowing the Andy's of the world is not enough to get the deal done. A good sales person should have relationships with people up and down the organization, including the ability to pick up the phone and speak to the CIO (especially if it is not some Fortune 100 type company). Does Andy really relish his role as the gatekeeper? Is it an ego thing?"
Andy replies "I understand Alan's point about having multiple levels of contact within a company because there are lots of people out there who will give you the run around instead of being honest and telling you the truth. Especially people in technology because many of them are just not good with people. I think that if you are getting the run around then going up the ladder is a fine plan, but if you have been given multiple valid reasons why this is not the time to move forward and you still try to push forward then you have issues. If I was in sales and really needed to make a sale I surely wouldn't waste my time trying to sell to a company that has (I'll say it once again) already given multiple valid reasons why this is not the time to move forward. I'd focus on a sale that I had a chance to make. Not to mention that having relationships also means that you maintain them at ALL levels. Do you really think that you are gaining anything by pushing when you have been told to wait? Is it beneficial to damage a relationship to make one sale? The security community is a small and often tight group of people. I'm amazed that almost everywhere I go I run into someone that knows someone else that I know. You make make a sale here while damaging a relationship but what about the next time we cross paths? The chances are VERY good that it will happen.

Here's a little story that recently happened to me. I was at a conference and was introduced to someone by a friend. That person happened to work for a company in Atlanta and we exchanged cards. After the conference I was contacted by that person to talk about their product. I met her for lunch along with 2 others from the company. All 3 of them had worked together along with the friend who introduced us. We're sitting in a restaurant and one of the says "Does any one know where so and so works now?" I said "Yeah, she's my vendor x rep". She had also worked with them. Then a few days later I get an email from another vendor rep who said "You remember the rep that I wanted to introduce you to from Vendor Y? Well, he told me that his wife had lunch with you the other day." She was the one from the first company. It's a small, small security world.

Alan says: "This salesperson was doing her job. She was not getting anywhere with Andy to her satisfaction and was multi-threading into the account. She could have been more up front with Andy about it, but my feeling is that anytime a security admin or manager "forbids" you from talking to other people in the organization they are overstepping their bounds and sending a message that this is not yet at the level of a real opportunity.
Andy replies: "Alan may have been reading another blog here because I can't find anywhere in there where I "forbid" her from anything. Maybe he's just drawing a conclusion. Kinda like the sales person concluded that I was only putting her off because I didn't want to bother with her or be honest with her. I also question his definition of what her job is. Her job is to sell product. That means that she finds potential clients (me), find out what my needs are, determine what her product can do to meet those needs and convince me that her solution is the best one for my needs. Her job is not to try and make a sale to someone whose job is not to manage security for the company. You don't go to the CMO to sell accounting software. If this were a small company where the CIO has more input in these decisions it would be different.

Come with me on a little journey. What if she had convinced him to buy her product? Well, that would only happen in one of a couple of ways. First, he decided to make the decision on his own not knowing what the business requirements for this product are. He has no business being CIO. Second, he comes to me and tells me that he wants it and asks for my input. I tell him we don't need it at the moment, there are more pressing projects and I haven't decided on a vendor. He still buys it. He has no business being CIO. So we now have a product that we don't currently need, may not meet all of our requirements, may not be the best fit or the best value for us and I have another piece to force into my security program.
Who wins?
Not me. I've now got another product forced on me and I am learning that my input and opinion are not really valuable to the company so why not move on.
Not my CIO. He has lost my respect and possibly my services. Now he has to find someone else to come in and learn the environment, business and everything else.
Not my company. They just spend a lot of money that wasn't necessary and may not meet their needs.
Not the sales person. She has damaged relationships with a potential customer down the road.
Not the vendor. They have now sold a product that if it doesn't do as expected or doesn't meet the business requirements will only cause the customer to have a bad taste in their mouth.
All of this could have been avoided if the sales person simply chose to wait until next year when a "real" decision could be made.

One last thing and then I'll stop.
Alan said: "I really think it is more about Andy's ego than any real threat."
Andy replies: I can assure you that my ego was the least of the things that were hurt. At least from a "who does he think he is?" perspective. I must admit that it was a little bruised because by going "over my head" he basically said "I know that Andy has already spent lots of time and effort telling me all of the reasons why this wouldn't happen this year but I think he is lying to me so I'm going to go to the CIO and try to sell him my product." Maybe I'm over reacting a little here but I did tell her why I wanted her to wait and she still thought I was giving her the run around.

Tuesday, December 16, 2008

How to NOT sell me security products (Part 2)

This is a continuation of my earlier post. I'm adding to it for a couple of reasons. I wanted to tell more of the story than time permitted on the bus this morning and I received a pretty good comment from a former sales person looking at this from the perspective of a sales person. I'm going to post Sam's comment and then reply to it while adding more details.

Having been in that (sales) role many times, I have to say that your statement cries out "pigeonhole". In other words, a statement people would tell a salesperson in order to get them off their back, but without intention of follow up. I can't tell you how many times I've heard someone tell me something similar and never, ever follow through with their word (i.e. will talk to you after the first of the year - yeah, right). I'm just scratching the surface on this comment, though.

On top of this, it sounds to me like you're making a business decision based on a personal experience with a salesperson. That doesn't sound like the right thing to do, either. What if the company offered a great solution? You're going to pass it up because a salesperson ticked you off???

I'm not saying you are, but my experience has been that many customers lie just as much as their sales folks do. Two sides to each coin.

Sam, You make some good points and I realize that you are talking in generalities and not specifics, but I still get to reply because it's my blog. :) While I will admit that in the past I have put sales people off by telling them "we'll talk later" but I also usually tell them "You call me". That way it's clear that the ball is in their court. I may not be interested now but in a few weeks or months I may be. I always try and be honest with them and let them know if what they are selling fits any of my needs. If it doesn't then I tell them "Not now, maybe later". If I really want their product then if I don't hear from them w/i the set time period I'll reach out to them or someone else that can get me the same product.

This case was a little different. She had been pushing me to try and get this ordered before the end of the year. I had told her numerous times that I did not need her product at this time. It would be nice to have and would provide added security. It would also be easier to manage than the 2 or 3 free products that I'm currently using to do the same thing. I had also told her that even if I did want and need it right now that there was no way that I could get it through procurement in time to get end of year pricing. I explained to her that our procurement process is painfully slow and that no matter how important it was or what level of management wanted it things would not speed up to the point to have it approved by end of year. I explained that since it was not a need that I would not be able to get management sponsorship to "rush" it through. I explained that by waiting until next year I was not putting myself in a bad position. I also explained that the company would rather pay more and NOT rush than rush and make a wrong decision. I also explained that I was still evaluating other vendor offerings to meet these needs and that I had NOT made a decision as to which one I would choose. Yet she still made the decision to go to the CIO and try to tell him how much he needed this product. He didn't even know that I was evaluating products because it's not high enough on my list to let him know yet.

As for the "making a business decision based on a personal experience with a salesperson" comment you are right. I'm making the conscious decision to not do business with her based on several factors. First, I had made it clear that we were not ready to purchase a product. Second, I had given her a time to get back to me to further discuss this. Third, I had told her that talking to the CIO would produce no results because he does not evaluate and recommend products. Forth, She is extremely pushy. Fifth, She lied to the CIO and told him that I wanted the product and that we had a conference call lined up for the following day. Sixth, she pissed me off. Seventh, there are several other vendors that do the same thing just as well as her product. Now I can get passed number 6 because I've been pissed off by sales people before and still bought from them. Not to mention I've pissed off my fair share of people in the past. I have a very hard time getting past number 1-4 because I had been clear in making my needs, wishes, desires, etc known. I can't get past number 5 because the combination of 1-4 plus 5 shows that she has very little personal integrity. If she is willing to lie and go behind my back to make a sale how can I be expected to trust her in what she is telling me regarding the product, service, etc... (Lets not go into the "everyone lies" bit b/c even though any lie is not good there are limits).

How to NOT sell me security products

This will be short and to the point. If you WANT to sell me your product do NOT do the following.

Call my CIO and try to convince him that he needs your product AFTER I have told you to wait until after the first of the year to talk more with ME about this!

I don't know if this sales person reads my blog or not but if you do you have absolutely no chance of selling me your product now. Not here. Not at any other company that I may work for in the future.

Monday, December 15, 2008

3rd Party Security

Rebecca Herold has a post up regarding the importance of ensuring 3rd party security. This is one example of how sloppy (and sometimes even fairly good) security from a partner, client or vendor can cause you all sorts of headaches. There are lots of other reasons also to do security audits of those you give network access to. I know that lots of companies talk about doing this but I wonder how many really do. I run across lots of people who work for companies that have policies in place that state that they must do security audits before giving you access to the network. Yet many of these same people tell me that they actually DON'T do these required audits. I also run across vendors and others who tell me that they have been given access to company networks with no audit requirement at all. Occasionally they have to sign a "3rd Party Access Agreement" or some other such document.

What concerns me is that these companies are putting themselves in a bad place. They think that they are covered because policy is in place or because they ask you to sign a NDA. Neither of these will hold water if you have a problem that is caused by the 3rd party if you can't prove that you are doing your due diligence. If you have a requirement to do a 3rd party security audit then you had better do it. If you say that you require your 3rd parties to do X then you need to prove that you have verified that X is being done. We can't continue to throw out a requirement without doing our part to make sure that the requirement is being enforced.

There are lots of things that can go wrong when giving anyone access to your network; even your own users. It can be difficult enough to keep your users audited and ensure that their protections are in place and that you are doing all you can to protect your data and network from them. Then if you throw in the complication of a bunch of machines that you don't control or set requirements for it makes it even worse. That is why you really need to make sure that you are extra diligent in protecting your data from these.

The list of things that can go wrong is as long as my arm. They can bring in a system that has been infected with a virus that may be spread to your systems. Hopefully your AV is installed and up to date on all of your systems, but that isn't always the case. In some instances companies don't install AV on certain systems because of performance and compatibility issues. These systems could become infected and depending on the virus they may attempt to spread it to other systems constantly, they may become part of a bot-net that can do all sorts of nefarious things. It may be loaded with a rootkit or backdoor that gives a bad guy control of that system and then he can work his way through your network. There is also the possibility that a bad guy enters their network and uses one of their systems to gain access to your network. They could take data out of your network and lose it, give it away, sell it, use it for their own purposes. They could alter data, plant keyloggers, sniffers, AP's etc... The list goes on and on.

So therefore I repeat my premise that when dealing with 3rd parties we don't need to be as strict as we are with our users we need to be even more strict. We have to do more than use CYA with a policy or NDA. We have to verify that they are doing what we require and what they say they are doing. If not then you may find yourself on the receiving end of a legal or regulatory nightmare.

Thursday, December 11, 2008

Is that MY data?

Disclosure: I attended a half day seminar on e-discovery where this story was told by Randy Kahn of Kahn Consulting. It got me to thinking and some of this is reflective of some of his talk.

In early Sept 2008 United Airlines stock fell by as much as 75% because of a 6 year old article that found it's way onto Google. The article had no date attached to it and was accidentally re-posted to a newspapers web site. Over the weekend the article started turning up in searches about United Airlines. As investors and automatic investment software saw the article they started to panic and sell shares of United stock and caused the price to fall drastically. Luckily people actually started researching the information and discovered that it was old news and not relevant to present time. Fortunately the stock did rebound and regained most of the loss.

How did this happen? I can't say for sure but it sounds like someone wasn't managing their data very well. How does well managed data get mishandled like that? Obviously there is a legitimate business case for keeping old stories like this around. They are useful for research and such, but the data could have been tagged in such a way to keep something such as this from happening. It could have had restrictions placed on the way it could be used. The problem with this is that it requires technologies to make this stuff happen that unfortunately are not used by many companies. This makes data management and security a nightmare for many. 

Unfortunately I don't have a low cost, easy to implement answer to this problem but it is something that needs to be addressed in your company. We all know that we can't secure what we don't know about. We can't secure the data if we don't know where it is, who is accessing it and what they are doing with it. Data has been taken too lightly for too long. It's been treated like it doesn't matter and that it's impervious to loss, misuse or any other bad thing. Sure we play the game and put in firewalls to keep bad guys out and put in a few other things inside the network and on host systems to make us all feel a little better but we aren't managing the data itself. We aren't teaching the DBA's, Server Admins, End Users and anyone else that it is important that it not be tossed around like a rag doll. We're not building the case to Upper Management that having policy with teeth is critical to keeping us safe.

We write policies and set them in their little corner to be pulled out when the auditor asks for them or when someone does something bad, but other than that we pretty much ignore them. We don't train our users on what they say and why they say it, we don't teach them how to follow them. We don't work with the business units to ensure that the policies are even effective and enforceable. We don't meet with legal, compliance and other groups to see how the policy fits into law and regulations. We don't look at how a change to one policy affects other policies and makes them more or less effective and enforceable.

I know that I'm making a wide sweeping statement with much of this and that this isn't the case for all companies. The problem is that it occurs in way too many places because companies and people are just playing the game. They aren't taking their compliance and security programs seriously. They want to check their box and move on. They aren't thinking outside the box and looking at things from a holistic perspective. In today's world where data is king we can't play games. We can't do "just enough". We can't keep thinking that security is a nuisance that we have to live with. Management has to take the lead and hire and equip the right people with the right tools and training. They have to take security seriously and they have to realize that there has to be consequences for what happens to data and the consequences have to fall on the right people and it has to have some pain associated with it or nothing will really change.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.