No, I didn’t do a mistake. I actually meant that security is product and not – as the mantra we hear since decades – a process. Truth is that company departments are governed by this god called “budget” and failing to fully spend it means that at the next round the financial controller will bash it, thus lowering the status and the power of the involved IT or security manager.
So monies have to be spent but how? Not on consulting or security management, of course. When incidents happen (as they do, more often that we may imagine or hope) the barrel starts rolling and everybody in the company keep it rolling on somebody else’s shoulders. And here comes the catch: nobody will ever be fired for having purchased stacks of “security-branded” boxes like firewalls, intrusion detections tools etc. even if these boxes aren’t properly deployed.
It’s easy to address the incident meeting with the CEO, the HR head and the legals by saying: “look, we purchased the best things on the market, and to be sure that we were safe, we doubled all the components – you know, redundancy, high-availability and those other things required by our security certification. Unfortunately these fucking balcanian hackers know better then the devil itself. But I have already managed how to fix the problem: our supplier has been asked to provide its latest device that will protect us better than ever. BTW, since we’re talking about that, though I got a fair price cut, the thing is costly and I need my budget to be extended. Is for security sake!”
Now compare this statement with what follows: “well, as you know, we didn’t need to spend money on hardware. Our firewalls are still capable and fit, so I focused on the internal checks. I hired a consulting firm to do penetration test once-a-year (can’t do it more often because the company complained that these activities slow down the business), than I had another company to monitor and analyze the daily flow of the traffic we generate (but we have been prevented by the legals to dive much too deep into the origin of the connections, so we don’t actually know where did the trojan come from), I then hired an auditor to check the software installed on each computer in use, but the HR told us that we couldn’t do it on the high level management laptop.”
And here comes the final question: which one security manager is gonna be fired?