Fast forward to 2016 and we are in the middle of a gold rush in the cyber market. The list of data breaches is overwhelming. It’s estimated that cyber crime is overtaking traditional crime. And vendors everywhere are offering cyber security products and services. It’s great that we have such a great breadth of options but the gold rush is bringing more problems than it’s solving.
The biggest problem with some of the vendors out there is that they are adding noise to an already crowded field. And the ones that are claiming to do something they can’t are giving businesses a false sense of security, in effect making them less secure rather than more so. Take, for example, the business that hires a vendor because they are “HIPAA Compliant”. Unfortunately, many vendors use this label as freely as food manufacturers use “sugar-free” or “fat-free”; the label does not tell the whole story. HIPAA Compliance is a complex mix of technical, physical and administrative controls mixed with data privacy requirements. A datacenter that tells you they offer “HIPAA Compliant hosting” might lead your company into a false sense of being “HIPAA Compliant”, especially if they are implying that using their products and services will magically confer compliance upon your company. For a government regulation like HIPAA, this could lead to serious consequences for the company and its executives.
What Can You Do?
For product vendors, if they are offering something that seems too good to be true, get them to do a proof of concept. It should be easy to see the value the product brings in your environment. If it doesn’t bring obvious improvements than it’s probably not the best fit. A POC will also allow you to see if there is a lengthy install and development process that is necessary to make the product work in your environment; this is something many vendors will hide and it typically leads to the “shelfware” syndrome that we see in datacenters everywhere. For services vendors, look at their team. If their top “Security Expert” has less than 10 years dedicated to cyber security, you should be wary of the expertise they’ll be bringing to bear for your organization, especially if they have never practiced it for an organization themselves. This is especially true in the Virtual CISO or vCISO space: if the person responsible for being the CISO for your organization has never been responsible for driving security initiatives for an organization, you don’t want them learning and making mistakes in your environment. If their security pitch includes lots of buzz words and products, but not much in the way of substance, move on and look for another vendor.
Some questions that are helpful:
- What does the offered (HIPAA/PCI/GLBA) compliance actually entail? There should be a clear delineation for the compliance area that the products or services will cover.
- Can you provide the resumes of the security team that will be responsible for the security of our organization? Check to make sure there is actual operational and organizational cyber security experience on the team, requisite to the problems you are trying to solve.
- What internal security certifications does the vendor have (SOC2, ISO27001, etc)? Beware the problem of the “cobbler’s children have no shoes”, i.e. a vendor that is offering security solutions for others but has not achieved those certifications for themselves.
Cybersecurity is set to explode in growth over the coming years, which means a new generation of “Forty-Niners” will be flooding the field. Heeding these tips will help you avoid spending your already limited security budget on cyber snake oil.