"Ok, so what do I have to buy?"
Those are generally the first words out of a client's mouth when he realizes the importance of network security. (That is, if he realizes before he's been attacked; we can't print the typical first words after he's been victimized.) That's a healthy response to some extent, because it demonstrates a willingness to devote resources to the problem. Unfortunately, it also suggests a desire to "make the problem go away," which can give rise to an un healthy focus on products at the expense of human expertise.
It's up to you to keep your clients' focus in check, and by stressing the points outlined be low, you'll help them see the light.
Security is a process, not a product. Unlike enterprise resource planning or customer relationship management, security cannot be reduced to a discrete feature set, nor does it reside in any single hardware or software element of a network. It is a function of all of the interactions between those elements. It is also a competitive enterprise in which attackers constantly search for new ways to force unexpected interactions, while solutions providers search for ways to limit them.
Relying on specific products for security is like centering a baseball strategy on a specific kind of bat. Some technologies (like firewalls and intrusion-detection systems) provide crucial tools that expand defensive options and create new obstacles for attackers. Others (like VPNs) help minimize the risks associated with adding new functionality. Like the baseball bat, however, the practical value of those tools depends first and foremost on the abilities of the people using them.
Trust no one. OK, perhaps this is a bit extremecertainly more so than a simple "buyer beware." Although when it comes to security, savvy purchasers who normally live and die by caveat emptor often turn credulous. The genuine technical complexity of security issues combined with the hacker mystique creates a strong impulse to trust "the experts," even if the experts' primary concern is selling products.
That is not to say that security vendors are particularly dishonest, rather evaluating security marketing claims is particularly difficult.
There is no substitute for expertise. The bottom line: You or your client needs an expert on your sidesomeone who thoroughly understands the basic issues, if not a world-class guru. The best way to develop that expertise is by providing the resources necessary to train trusted IT staff on an ongoing basis. Hiring an em ployee for his security background has some drawbacks; marketing claims in a résumé can be almost as tricky to assess as those in a product brochure.
A long-term relationship with a trusted consultant is extremely valuable but is a poor replacement for internal know-how. Entirely outsourcing the assessment and purchasing decisions is a recipe for disaster and should only be considered as a last resort.
David Raikow is a contributing editor to Sm@rt Partner. Column comments can be sent to firstname.lastname@example.org.