Andy ITGuy

Archived Posts from this Category

January 12, 2009

Why FOI?

Posted by awillingham under Andy ITGuy, information security
[2] Comments 

What I want to talk about today is what causes FOI. Let’s step back and remember what it was that started this who FOI thing anyway. It’s because many people don’t believe that you can truly have Security ROI. Security isn’t so much an investment that you expect to make money with as it is money spent to protect investments that do make money. So we have to look at security from a different perspective than we do things such other technology purchases. Since we look at it differently we have to measure it differently.

So when we talk about failure of investment we have to  start off by differentiating between failure of people and failure of technology. People fail because they are people and because they often don’t know what or how to do something. Technology fails because it is designed, built, configured and maintained by people. It fails because it is programmed to do a set of tasks and when faced with doing something different it doesn’t know what to do but fail.

Security fails for a variety of reasons. I know that you are expecting me to spout off things like improper configurations, poorly trained  staff, implementing wrong technology, lack of awareness and user training. Although all of those are things that can lead to FOI there is much more to it. Failure can occur when technology isn’t updated or properly maintained. When the vendor doesn’t provide timely updates and patches. Failure occurs when the things that make for a good security program aren’t done regularly, properly and diligently.

Now the real question is how does this happen. How does it get to the point where these things are neglected or never properly implemented. I think it’s because the company doesn’t understand what the real threat is. Companies implement security to meet compliance, satisfy audit and provide enough protection to say they are doing something. They don’t take it to the next level of making security a priority. That means having support from the top. That means making a concerted effort to make sure that all employees know the what and why when of security. Security fails when it’s not taken seriously by all involved. It’s not something that can be done by one person or even one department. It has to be a company wide program. The network team can still route packets with out the participation or HR, Maintenance and the rest of the company. The server team can still "serve" up files, applications and data without the rest of the company being on board. The security team can’t be successful unless the whole company buys in to the program because it only takes one person to open up the whole that allows the data to flow out or the malware to flow in.

 

January 10, 2009

Security Economics

Posted by awillingham under Andy ITGuy, information security
Leave a Comment 

In tough economic times we all have to watch where we spend money and how we spend it. We can’t let bad financial times or the threat of what may happen keep us from spending what we need to spend to ensure that our data is secure. We can’t be stupid and spend just for the sake of spending, but we also can’t not spend just to save money. Sometimes money has to be spent now to keep from spending more later.

I remember several years ago there was a commercial for Pennzoil with Arnold Palmer. The key line was “You can pay now or you can pay later”. It was in reference to spending a little now to change your oil regularly or pay a lot later when you have to have major repairs. I also saw something today that made me think about this. There is a water line break in Atlanta near my office. It’s been there for about 2 or 3 weeks. You can see where the water is seeping through the asphalt and it’s creating a nice little river flowing down a side road. Of course it’s frozen a time or two and probably will tonight since it’s supposed to get down to the upper 20′s tonight. I assume that it’s not being fixed because of the budget crunch that the city of Atlanta is in but the problem is that soon it’s going to cause a sink hole and cost a lot more to repair. Not to mention it’s going to create a traffic nightmare at a busy intersection and possibly cause injury to someone if they happen to be driving over that spot when it decides to collapse. So in an effort to save a couple of thousand dollars the city will probably end up spending 30 or 40 thousand, wasting lots of water and possible cause someone to get hurt. Of course if that happens then there will be a multi million dollar law suit.

Now that we are in a new year and are looking forward to what we will be able to do and those things that we won’t be able to do we have to plan on selling the really important things more than ever. We need to start now in building our case to management on why we can’t delay certain things. We also need to be prepared to go to them with our list of  “sacrificial lambs”. Things that we had planned on doing but are not as important as the “gotta haves”. By doing this we show them a couple of things. One, that what we are keeping is really important and two, that we are willing to make sacrifices in order to get the really necessary things.

 

January 7, 2009

Atlanta NAISG Meeting #2

Posted by awillingham under Andy ITGuy, information security, NAISG
Leave a Comment 

We took December off but we’re back and ready to roll. Our next meeting will be Wednesday Jan 14, 2009 at 7:00. We’re meeting at the MARTA headquarters building in Buckhead at 2424 Piedmont Rd, Atlanta, GA 30324. It’s at the intersection of Piedmont Rd. and Morosgo Dr. across from the twin AT&T towers. This is the location of the MARTA Lindburgh Station. The meeting will be held in the Bid Room on the first floor. You will have to sign in at the security desk.

View Larger Map

The talk will be given by Renault Ross of Symantec (no sales just knowledge sharing). He will be speaking on End Point Security and NAC. Pizza and drinks will be provided so come hungry.

We’re still young and are looking to grow so make plans to join us. Feel free to invite your friends and pass the word along to others. We will be giving away a couple of door prizes as well. If you know that you will be attending please email me (andy.itguy at yahoo dot com) and let me know so we can get a general count for ordering pizza.

 

January 5, 2009

More on Failure of Investment

Posted by awillingham under Andy ITGuy, information security, Security FOI
Leave a Comment 

My buddy Jack Daniel pointed us to a new blogger that is worth following. As I was looking through some of his post I ran across one entitled “Failure of Investment”. Of course that caught my eye because of the conversations that myself, Jack Daniel (here and here) and a few others had on this topic back in September of last year.

Tim’s post got me to thinking again about FOI. I had intended to expand on the concept more last year, but as you (hopefully) noticed my blogging fell off drastically the last few months of the year due to life getting in the way. Now that a new year is here and I’m hoping to get back into regular blogging and what better topic than FOI to start with.

What I want to talk about today is defining FOI at a more granular level.
Failure is measured differently for different technologies. You can’t define failure the same for a firewall as you would a host based Anti-virus program. They are different technologies and have to be measured differently. If can even be argued that within the same technology there are different tolerance levels for failure. An AV program that lets a virus through to a workstation that has very limited network access isn’t as serious as one that allows a AD server to get infected.

So how do you go about defining failure? It goes back to a security basic. Risk. What is the risk if failure happens w/ a technology at a certain level. This is why it is so important that decisions to purchase and implement technologies not be taken lightly. Don’t make a decision based on the fact that it is from a certain vendor. Don’t make a decision based solely on price. Don’t make a decision based on “ease of use”.

You have to know what you are protecting, what the value of it to the company is and what level of failure can each thing handle. If you don’t know this then you are going to set yourself up for FOI and a new job search.

 

January 2, 2009

Welcome 2009

Posted by awillingham under Andy ITGuy, goals
Leave a Comment 

It’s a new year and most people have made resolutions, predictions, set goals or other such things to start the new year off on the right foot. I too have done the same, sort of. I gave up on resolutions years ago. Don’t do predictions but do set goals. I also take a few minutes and look around and think about life and what I need to do or can do to make it better for myself, my family and those I come in contact with.

I’ve set personal goals relating to my marriage, fathering, hobbies, fitness, etc and I’m putting plans in place to make them happen.

At work I’ve looked at my list of projects and what needs to be done and have prioritized the projects and set dates for the other things.

I’m hoping that this year will be better than last year although I really can’t complain about last year. Even with the economy tanking I’m still employed in a job that I usually enjoy. :) My family is doing well and I really can’t ask for more and sure don’t deserve more.

I’ve got one goal that I hope to have accomplished by next Monday and that is to find a new calender for my office at work. If I can do that then I’ll consider the first few days of 2009 a success.

 

December 18, 2008

Manageing Expectations

Posted by awillingham under Andy ITGuy, information security, sales practices
Leave a Comment 

I’ve been dealing with sales people most of my career in technology. When I first got started in the field I had to deliver on the promises that they made to the customer. That or try to explain why what the salesman told him didn’t really mean what he thought it meant. Then I moved into a position where I had to start dealing with them as the customer. I learned early on that some would do anything to make a sale. They would say anything, talk to anyone and that the price could always get a little better. Then there are those who were up front with you and who seemed to really have your best interest at heart. They are the ones who aren’t afraid to tell you that their product doesn’t meet your requirements. They will tell you that they can maybe get special pricing and it isn’t tied to you making a decision today. They are the ones who really seek to know your environment so that they can recommend a solution that will honestly work for you.

Alan says that the problem that exists between sales and client is that neither really takes the time to understand the other. While I think that it will be beneficial to all parties for that to happen I don’t agree that the problem lies there. I must say that most of the sales people that I’ve dealt with have been quality sales people who are good at what they do because they do try to understand their clients needs. I also think that whereas I may not truly understand the life of a sales person I do understand that they are dealing with their own set of challenges. I understand that they have to sell if they want to eat and keep their job. How can I best help them? By managing expectations. When I talk with someone about their product I try to be upfront with them if there is not a fit. I also try to be upfront with them as to when I may be ready to make a decision.

If I’m looking at deploying a solution whether it be vulnerability management, database monitoring, AV or anything else I will start gathering information several months in advance. Why? Because I’ve got several projects that I’m working on and I’ve got to ensure that the solutions work together and not against each other. Also I may actually do a eval way ahead of time just because it works for me to do it then. What I’ve noticed is that some sales people take that to mean I’m ready to buy. Even if I tell them that the project is months down the road. I try to manage their expectations so that they aren’t investing lots of time in something that isn’t going to happen for a while. If they are smart they will step back, stay in touch and be patient. Some have actually gotten upset that I was looking that far out and when I reached out to them closer to time they wouldn’t submit a quote.

I’ve also learned that I need to manage their expectations once I’ve made my choice. This is something new to me because for the first time in my career I work for a company that has a procurement department. Always in the past when I made my decision I submitted it to Management and if they approved it then the order was placed within a few days. Here things are different. I make my decision, go to Management for approval and then it goes into the abyss call procurement. Once there all sorts of things may happen and then usually it emerges on the other side with a PO attached. That process can be anywhere from a couple of weeks to months but for me it had always been 6 to 8 weeks. Based on this I told a Account Rep that we should have no problem getting a PO cut by a certain date. That was my mistake. The date came and went and the PO was no where to be seen and procurement wasn’t talking. The problem is that I had gotten VERY aggressive pricing on this and the Account Rep was new with the company so when the order didn’t materialize within the set time frame her boss started to question her judgement in believing my reasons for wanting such aggressive pricing. If she had been not been new then her boss probably would have just said something like “Don’t be so gullible next time”, but in this case it was more like “Did we really make a good choice in bringing her on?”. Of course I felt terrible because all of this was based on my lack of managing expectations. I’ve since learned that I need to do a better job of this. Actually that is what I was trying to do with the sales person that I’m now unhappy with. Yet in this case she wants to set herself up for failure instead of allowing me to try and help her.

So, yes we could all benefit from understanding each other better but more importantly we can all benefit by being upfront with each other. If I don’t want to talk or don’t have a need then so be it. If I tell you “Call me later” then that’s what I mean. If you tell me your product can do X then it really better be able to do it without me having to jump through hoops. If it can’t do it then just say so.

How about this. I know that my blog is read by techies, managers, sales, PR, and others. If we want things to work better than take my advice be honest, manage expectations and work together. Quit putting sales people off just because you don’t want to deal with them. Tell them “not now call me in X weeks” or “please don’t call me, I’ll call you when I’m ready”. Then when we do tell sales something they will believe us and not feel like we’re giving them the runaround. For those of you in sales if we can call next month then call next month. Don’t be pushy, don’t try to tell us that you can “help” us speed up procurement. If we tell you that there is no way to get this done by the end of the month quit pressuring us with the latest deal of the moment.

One last thing. @anton_chuvakin made a comment on twitter yesterday that went something like this “XYZ “software suite is the most powerful and comprehensive system… in existence.” Some people who do marketing are stupid :-) ” I replied back “I had 27 sales people tell me that about their product last week” then Dr. A replied back with “well, all 27 were repeating what 1 marketing person told them :-) ” I figure that one marketing person was Rothman. :)

 

December 17, 2008

Let the throw down begin!

Posted by awillingham under Andy ITGuy, Bad Selling Techniques, information security, still secure after all these years
1 Comment 

Today Alan Shimel took me out to the wood shed and spanked me! So all in the spirit of good fun we’re gonna go toe to toe and work this out.

My job here is to manage the security program. Part of my responsibilities are to evaluate products and make recommendations based upon the defined requirements and the ability of a product to meet those requirements. My CIO’s job is to manage the entire IT organization and make sure that what we do matches up with the business requirements of the company. He does not evaluate and recommend products. If a sales persons goes to him he sends them the the appropriate department to talk to the SME.

Alan asks “But also who dropped dead and made Andy the single point of contact?”
Andy answers “My CIO made me that point of contact (although he is still living). At least until we are ready to move forward and his input is required.That does make me a gate keeper of sorts but only because that how we do things here.”

Alan asks “Is Andy not only making the technical decisions but the business and financial ones as well?
Andy answers “No, I’m not making the business and financial decisions but I do have significant input into the role of security in the business. That is what Security Managers do. They are given information regarding business needs, goals and requirements and they make decisions and recommendations based upon them.

Alan asks “Is Andy the person signing the checks?”
Andy answers “Again, No. I do work within a budget and also part of my job is to ensure that we are spending our budget dollars wisely. So, that’s kinda like saying what checks get signed.

Alan says Here is what I have preached to sales people for years. It is imperative that they multi-thread into an account. Knowing the Andy’s of the world is not enough to get the deal done. A good sales person should have relationships with people up and down the organization, including the ability to pick up the phone and speak to the CIO (especially if it is not some Fortune 100 type company). Does Andy really relish his role as the gatekeeper? Is it an ego thing?”
Andy replies I understand Alan’s point about having multiple levels of contact within a company because there are lots of people out there who will give you the run around instead of being honest and telling you the truth. Especially people in technology because many of them are just not good with people. I think that if you are getting the run around then going up the ladder is a fine plan, but if you have been given multiple valid reasons why this is not the time to move forward and you still try to push forward then you have issues. If I was in sales and really needed to make a sale I surely wouldn’t waste my time trying to sell to a company that has (I’ll say it once again) already given multiple valid reasons why this is not the time to move forward. I’d focus on a sale that I had a chance to make. Not to mention that having relationships also means that you maintain them at ALL levels. Do you really think that you are gaining anything by pushing when you have been told to wait? Is it beneficial to damage a relationship to make one sale? The security community is a small and often tight group of people. I’m amazed that almost everywhere I go I run into someone that knows someone else that I know. You make make a sale here while damaging a relationship but what about the next time we cross paths? The chances are VERY good that it will happen.

Here’s a little story that recently happened to me. I was at a conference and was introduced to someone by a friend. That person happened to work for a company in Atlanta and we exchanged cards. After the conference I was contacted by that person to talk about their product. I met her for lunch along with 2 others from the company. All 3 of them had worked together along with the friend who introduced us. We’re sitting in a restaurant and one of the says “Does any one know where so and so works now?” I said “Yeah, she’s my vendor x rep”. She had also worked with them. Then a few days later I get an email from another vendor rep who said “You remember the rep that I wanted to introduce you to from Vendor Y? Well, he told me that his wife had lunch with you the other day.” She was the one from the first company. It’s a small, small security world.

Alan says: “This salesperson was doing her job. She was not getting anywhere with Andy to her satisfaction and was multi-threading into the account. She could have been more up front with Andy about it, but my feeling is that anytime a security admin or manager “forbids” you from talking to other people in the organization they are overstepping their bounds and sending a message that this is not yet at the level of a real opportunity.
Andy replies: “Alan may have been reading another blog here because I can’t find anywhere in there where I “forbid” her from anything. Maybe he’s just drawing a conclusion. Kinda like the sales person concluded that I was only putting her off because I didn’t want to bother with her or be honest with her. I also question his definition of what her job is. Her job is to sell product. That means that she finds potential clients (me), find out what my needs are, determine what her product can do to meet those needs and convince me that her solution is the best one for my needs. Her job is not to try and make a sale to someone whose job is not to manage security for the company. You don’t go to the CMO to sell accounting software. If this were a small company where the CIO has more input in these decisions it would be different.

Come with me on a little journey. What if she had convinced him to buy her product? Well, that would only happen in one of a couple of ways. First, he decided to make the decision on his own not knowing what the business requirements for this product are. He has no business being CIO. Second, he comes to me and tells me that he wants it and asks for my input. I tell him we don’t need it at the moment, there are more pressing projects and I haven’t decided on a vendor. He still buys it. He has no business being CIO. So we now have a product that we don’t currently need, may not meet all of our requirements, may not be the best fit or the best value for us and I have another piece to force into my security program.
Who wins?
Not me. I’ve now got another product forced on me and I am learning that my input and opinion are not really valuable to the company so why not move on.
Not my CIO. He has lost my respect and possibly my services. Now he has to find someone else to come in and learn the environment, business and everything else.
Not my company. They just spend a lot of money that wasn’t necessary and may not meet their needs.
Not the sales person. She has damaged relationships with a potential customer down the road.
Not the vendor. They have now sold a product that if it doesn’t do as expected or doesn’t meet the business requirements will only cause the customer to have a bad taste in their mouth.
All of this could h
av
e been avoided if the sales person simply chose to wait until next year when a “real” decision could be made.

One last thing and then I’ll stop.
Alan said: “I really think it is more about Andy’s ego than any real threat.”
Andy replies: I can assure you that my ego was the least of the things that were hurt. At least from a “who does he think he is?” perspective. I must admit that it was a little bruised because by going “over my head” he basically said “I know that Andy has already spent lots of time and effort telling me all of the reasons why this wouldn’t happen this year but I think he is lying to me so I’m going to go to the CIO and try to sell him my product.” Maybe I’m over reacting a little here but I did tell her why I wanted her to wait and she still thought I was giving her the run around.

 

December 16, 2008

How to NOT sell me security products (Part 2)

Posted by awillingham under Andy ITGuy, Bad Selling Techniques, information security
1 Comment 

This is a continuation of my earlier post. I’m adding to it for a couple of reasons. I wanted to tell more of the story than time permitted on the bus this morning and I received a pretty good comment from a former sales person looking at this from the perspective of a sales person. I’m going to post Sam’s comment and then reply to it while adding more details.

Having been in that (sales) role many times, I have to say that your statement cries out “pigeonhole”. In other words, a statement people would tell a salesperson in order to get them off their back, but without intention of follow up. I can’t tell you how many times I’ve heard someone tell me something similar and never, ever follow through with their word (i.e. will talk to you after the first of the year – yeah, right). I’m just scratching the surface on this comment, though.

On top of this, it sounds to me like you’re making a business decision based on a personal experience with a salesperson. That doesn’t sound like the right thing to do, either. What if the company offered a great solution? You’re going to pass it up because a salesperson ticked you off???

I’m not saying you are, but my experience has been that many customers lie just as much as their sales folks do. Two sides to each coin.

Sam, You make some good points and I realize that you are talking in generalities and not specifics, but I still get to reply because it’s my blog. :) While I will admit that in the past I have put sales people off by telling them “we’ll talk later” but I also usually tell them “You call me”. That way it’s clear that the ball is in their court. I may not be interested now but in a few weeks or months I may be. I always try and be honest with them and let them know if what they are selling fits any of my needs. If it doesn’t then I tell them “Not now, maybe later”. If I really want their product then if I don’t hear from them w/i the set time period I’ll reach out to them or someone else that can get me the same product.

This case was a little different. She had been pushing me to try and get this ordered before the end of the year. I had told her numerous times that I did not need her product at this time. It would be nice to have and would provide added security. It would also be easier to manage than the 2 or 3 free products that I’m currently using to do the same thing. I had also told her that even if I did want and need it right now that there was no way that I could get it through procurement in time to get end of year pricing. I explained to her that our procurement process is painfully slow and that no matter how important it was or what level of management wanted it things would not speed up to the point to have it approved by end of year. I explained that since it was not a need that I would not be able to get management sponsorship to “rush” it through. I explained that by waiting until next year I was not putting myself in a bad position. I also explained that the company would rather pay more and NOT rush than rush and make a wrong decision. I also explained that I was still evaluating other vendor offerings to meet these needs and that I had NOT made a decision as to which one I would choose. Yet she still made the decision to go to the CIO and try to tell him how much he needed this product. He didn’t even know that I was evaluating products because it’s not high enough on my list to let him know yet.

As for the “making a business decision based on a personal experience with a salesperson” comment you are right. I’m making the conscious decision to not do business with her based on several factors. First, I had made it clear that we were not ready to purchase a product. Second, I had given her a time to get back to me to further discuss this. Third, I had told her that talking to the CIO would produce no results because he does not evaluate and recommend products. Forth, She is extremely pushy. Fifth, She lied to the CIO and told him that I wanted the product and that we had a conference call lined up for the following day. Sixth, she pissed me off. Seventh, there are several other vendors that do the same thing just as well as her product. Now I can get passed number 6 because I’ve been pissed off by sales people before and still bought from them. Not to mention I’ve pissed off my fair share of people in the past. I have a very hard time getting past number 1-4 because I had been clear in making my needs, wishes, desires, etc known. I can’t get past number 5 because the combination of 1-4 plus 5 shows that she has very little personal integrity. If she is willing to lie and go behind my back to make a sale how can I be expected to trust her in what she is telling me regarding the product, service, etc… (Lets not go into the “everyone lies” bit b/c even though any lie is not good there are limits).

 

December 16, 2008

How to NOT sell me security products

Posted by awillingham under Andy ITGuy, Bad Selling Techniques, information security
Leave a Comment 

This will be short and to the point. If you WANT to sell me your product do NOT do the following.

Call my CIO and try to convince him that he needs your product AFTER I have told you to wait until after the first of the year to talk more with ME about this!

I don’t know if this sales person reads my blog or not but if you do you have absolutely no chance of selling me your product now. Not here. Not at any other company that I may work for in the future.

 

December 15, 2008

3rd Party Security

Posted by awillingham under 3rd Parties, Andy ITGuy, information security
Leave a Comment 

Rebecca Herold has a post up regarding the importance of ensuring 3rd party security. This is one example of how sloppy (and sometimes even fairly good) security from a partner, client or vendor can cause you all sorts of headaches. There are lots of other reasons also to do security audits of those you give network access to. I know that lots of companies talk about doing this but I wonder how many really do. I run across lots of people who work for companies that have policies in place that state that they must do security audits before giving you access to the network. Yet many of these same people tell me that they actually DON’T do these required audits. I also run across vendors and others who tell me that they have been given access to company networks with no audit requirement at all. Occasionally they have to sign a “3rd Party Access Agreement” or some other such document.

What concerns me is that these companies are putting themselves in a bad place. They think that they are covered because policy is in place or because they ask you to sign a NDA. Neither of these will hold water if you have a problem that is caused by the 3rd party if you can’t prove that you are doing your due diligence. If you have a requirement to do a 3rd party security audit then you had better do it. If you say that you require your 3rd parties to do X then you need to prove that you have verified that X is being done. We can’t continue to throw out a requirement without doing our part to make sure that the requirement is being enforced.

There are lots of things that can go wrong when giving anyone access to your network; even your own users. It can be difficult enough to keep your users audited and ensure that their protections are in place and that you are doing all you can to protect your data and network from them. Then if you throw in the complication of a bunch of machines that you don’t control or set requirements for it makes it even worse. That is why you really need to make sure that you are extra diligent in protecting your data from these.

The list of things that can go wrong is as long as my arm. They can bring in a system that has been infected with a virus that may be spread to your systems. Hopefully your AV is installed and up to date on all of your systems, but that isn’t always the case. In some instances companies don’t install AV on certain systems because of performance and compatibility issues. These systems could become infected and depending on the virus they may attempt to spread it to other systems constantly, they may become part of a bot-net that can do all sorts of nefarious things. It may be loaded with a rootkit or backdoor that gives a bad guy control of that system and then he can work his way through your network. There is also the possibility that a bad guy enters their network and uses one of their systems to gain access to your network. They could take data out of your network and lose it, give it away, sell it, use it for their own purposes. They could alter data, plant keyloggers, sniffers, AP’s etc… The list goes on and on.

So therefore I repeat my premise that when dealing with 3rd parties we don’t need to be as strict as we are with our users we need to be even more strict. We have to do more than use CYA with a policy or NDA. We have to verify that they are doing what we require and what they say they are doing. If not then you may find yourself on the receiving end of a legal or regulatory nightmare.

 

Next Page »

Follow

Get every new post delivered to your Inbox.