I recently wrote a blog post about one of the latest threats, Night Dragon, which I closed by commenting that “The answer will not be the latest desktop security software for $44.99”. This single sentence seemed to resonate with folks because so much of what we say in the security industry sounds like the newest silver bullet to solve the problem of the moment.
When I first meet with a potential customer, I like to understand what challenges they face. These can be challenges specific to protecting their organization from threats or helping them find ways to minimize the cost of the not-so-sexy side of security – regulatory compliance. In either case, I want to understand how I can help a customer, not just because I want to tell them about all the great ways my company’s technology will enable them to be better, but also so I can tell them what problems we cannot solve.
I like to explain to potential customers how I will not be able to help them not because I am a pillar of goodness, but frankly because it is smart business. This is in stark contrast to how some security companies operate. Telling people that single sign-on cloud authentication is going to stop zero-day vulnerabilities, for example, will most likely lead to a very short-term business relationship. On the other hand, when I step back from the desire to make a sale and simply give the kind of advice I would to a friend, I’m quickly understood as a trusted advisor. In the long run, should that company ever have a need that is met by our solutions, they will remember us and the type of company we are.
Anytime I give a presentation to IT folks, I always start by saying how much I feel for people working in IT. They are told at every turn that there is a solution for their problem, no matter what the problem is.
To that end, I want to be clear, as someone who has a vested interest in selling security products, that there is no single product that will solve all of your security needs. There is no software you can buy for $44.99 per seat that will magically make your life better. The foundation for good security in an organization simply starts with making sure your IT staff is properly educated and made a part of the overall IT and security process.
Although there are top-down directives in IT security, such as compliance, the real wins take place when organizations have a proper mechanism to allow for the hard-working folks in the trenches to bubble things up to the surface. And, for the IT folks reading this, you have to remember it is a two-way street.
If you are working in IT, you cannot simply complain that management does not get it. Typically, when that is the case, it is because you have not articulated the problem and, more importantly, the potential impact to the business, in a way that less technical folks can understand. This is made even more difficult when the only relationship you have with management is asking for things when you need them. I cannot stress enough that the people I see succeeding in IT security are the ones who build relationships on a personal level with management, beyond just asking for the next PO to be approved.
Without building these relationships the question will inevitably be asked of you: “Why did we buy this $44.99 software that you said would fix everything?”
Marc Maiffret co-founded eEye Digital Security in 1998 and returned to the company in July 2010 as CTO. Marc is an industry expert in network security and has accepted three separate invitations to testify before the US Congress on matters of national cybersecurity and critical infrastructure protection. Marc famously discovered the first Microsoft computer worm, “CodeRed” and was named one of People magazine’s 30 People Under 30. He has been featured for cover stories in Details, the Los Angeles Times, Entrepreneur, Inc, and USA Today, in addition to numerous television appearances. Prior to returning to eEye, Marc was served as chief security architect at FireEye.