Don't blame cost of security on the vendors

As evidenced by my post last week I spent several days at the Gartner Symposium and ITExpo in Orlando last week. I can't get one incident out of my mind. I was manning our booth as usual (my feet are still recovering from 4 days of standing, ouch) when a stout little man wandered by. I engaged him in conversation about network security and he lashed out with "you security vendors are always trying to sell us a new box, you are a money hole we keep spending on but we still get hacked". This is one of my hot buttons. Pinning the blame on the security industry for all the different solutions that do not inter-operate is a favorite game played by industry pundits and CIOs.

As I was digging my heels in and getting my hackles up I finally read this guy's name badge. He was CIO of a major branch of the US military. Well, here is my answer to him, thought up way too late to confront him face to face.

No sir, you have not spent enough on security. Look to your own operations. Have you enforced segmentation of your network? Have you put firewalls between you and the other agencies? Do you still allow telnet and ftp in unauthenticated clear text? Can you do user provisioning? What does your patch management look like? Do you have effective anti-spyware? Do you do security assessments of your entire network on a continuous basis? I know the answers to these questions as well as you do. Look to your latest computer security scores from GSAFISMA. An F. You see that? An F!. Before you point fingers at a security industry that is constantly evaluating the threats and creating counter measures look to your own actions; or lack thereof. You sir have failed in your duty to protect the assets of the US Military. You have allowed foreign entities to overrun your networks. On your watch our digital homeland has been invaded.