Shopping for security.
I got a really great comment from Esteban on one of my older posts. He asked:
- in the example of purchasin[g] a SIM, SIEM, IDM solution who should be involved (besides finance of course)? CISO? CTO? M-level from IT?
In the cases that he mentioned, these tools are all “up the stack” and much, much closer to the business processes. Identity and Access Management gets into the very heart of your organization’s policy for letting people access your information; that’s why it’s so hard to implement without their understanding and co-operation. And SIEM—well, that’s also about information, isn’t it? And if your information is not relatable directly to business intelligence, then your customer base is not going to care about it one bit.
Nobody cares about IDS alerts any more. Hell, *I* don’t care about them any more. Okay, I pay someone to care, and even HE doesn’t get all excited about them anymore—EXCEPT inasmuch as it tells him on a higher level what’s going on with the data in our network. He’s looking at it not from the perspective of the latest signatures and exploits; he’s looking at them to see whether traffic is flowing in unusual ways that mean that someone has a spyware infection, someone installed an application that nobody approved, or someone took the equivalent of pinking shears to the routing tables again.
When you take security intelligence to the next level, it’s more useful to people outside the security group. Database activity monitoring can tell developers a lot of things they didn’t know about how their applications are working (or not). Access event logs can tell data owners how widely adopted their data sets have become. A GRC dashboard (*ickshudder*) can tell a CTO which remote sites are rebelling against technology standards. LonerVamp had an awesome blog post featuring an epiphany that DLP is really a Sensitive Business Process Identifier.
For this reason, when you go shopping for one of these intelligence tools, you really need to be involving as many other business areas as you can that may benefit from it. For one thing, it’ll make sure you’re making the right choices; for another, it helps to get wider buy-in before the price quote even lands on your CFO’s desk. And if it’s turning out to be the kind of tool you’re only buying for yourself ... then you really should think about whether you’re serving your customers’ security needs at all.
