Six executives fill the boardroom chairs and you seem to have chosen the only chair that lets loose a metallic shriek upon any movement. Ugh. But there is work to do. You are all here to solve a problem. A big problem. One of your organization’s IT solutions desperately needs replacement and you are here to provide a “security lens” on the discussions about to be had.

Things start out well enough. They go over the list of features that are required in the replacement product: what are deal-breakers? what could be left behind if required? pay tiers? support models? deployment plans and timelines? Things like that. The requirements are high level and you spend your time listening to the discussion but not really participating. Then the discussion turns towards compliance and security. Your ears perk up.

They start asking your type of questions: “What type of information do we need to store and how are we going to protect it?”, and the like — in not-so-many-words but you pick up the subtext. “Do we need to think about compliance?”
All eyes turn to you.

You dive in.
The feature-sets for all the potential products differ which makes it hard to do a full comparison, but they all follow a similar thread of functionality — they’re in the same space after all. Some vendors have compliance with recognized security standards. Others have provided technical documentation that exceeds anything you would see in a standard but then fall short in other areas. You’ve done your homework on each one and you describe a reasonable security baseline that the products should meet. A few of the potential products pass the basic test. One in particular stands out as the security ‘champion’. You clearly make your bias known.

The other participants thank you for your detailed assessment and move the conversation forward. As the discussion continues there is a clear lean towards a candidate that isn’t the “champion” that you outlined. You try to raise the difference in security between the two and are rebuffed. The meeting concludes with a strong focus on a product that was third in line — in your mind. Yes it passed the baseline, but there was a clear winner here, right?!?

* * * *

It’s been a while but I was that “security guy” and still hear many similar complaints. When I hear it I now respond with the same question that my boss asked me back when I brought it up with him: “What is the purpose of our entire organization?”

It’s a tough lesson to learn but it is likely that your organization’s purpose is NOT security. Maybe it’s providing E-mail services, or HR services, or mobile games, or antivirus software (That’s right. the purpose is to provide software which just happens to be AV, and it is sweet sweet irony to an adversary when they pop the AV to get to their target) — but the primary objective is NOT security.

Your organization has mandates that need to be met. They need to be met under deadlines with constrained resources and with competing priorities. Even if “security” (whatever that actually means) is a high priority for the organization it will be competing with functionality, and cost, and ease of use, etc. The tool has to do what is needed, and must be affordable, and your users must be able to use it with, or without, training (hopefully with — if not, you better be thinking about support costs).

Yes it needs to be secure, but know that your executives are juggling “security” with all those other priorities. They rely on you, “the security guy (or gal)”, to inform them, then they (hopefully) make the best decision with the information at hand.

In the scenario above the team needed an advisor not a decision-maker.