Last week at the RSA conference (see my RSA Recap) it was interesting to hear the drumbeat of security is everyone’s problem, and at the same time see posts on the staffing crisis in IT security. In addition, I talked to so many people who told me that security tools aren’t budgeted for well and that’s one of the reasons that they have to go up the chain to get approved. All of this made me think about the real challenge in making security everyone’s responsibility when you can’t get tools easily, you don’t have enough people, and most of the tools are hidden in a shroud of complexity.
Step 1: Getting the buy-in that you need the tools: So ROI is everything and security tools have these magical ROIs that talk about the cost of data loss and application downtime to the business. It all translates to real revenue impact and ultimately most of the big projects are sold like insurance – but as an IT guy in the trenches, you don’t get to buy insurance, your boss or boss’s boss does that right?
Well there’s a better way to look at it if you need to justify many of these tools – operational efficiency.
Consider this example.
- How many firewalls do you have?
- How many changes do you make a week?
- How many people make changes?
- How long does a change take to plan, make, and test?
- How many changes need to be re-worked?
- How many security patches do you apply in a typical month?
- How long do you spend reading log files, or using homegrown tools to read log files
For example, if you had a tool that everyone could use to analyze firewall rules and changes before they went to production, and then generated the script changes that you could put into your award winning configuration management tool then how much time would it save? If you could automate the patching process across Microsoft and other 3rd party software you have, how much time would it save? If you had log file analysis and automated responses to suspicious behavior, how much time and grief would it save? How much hassle?
Step 2: Getting your security folks on board. While I was at RSA I spoke to a few security guys and one thing stuck with me, they all made the point that when security is part of everyone’s day job - without it feeling like security - it got done, and without complaints. It’s like disguising vegetables in something delicious for your kids! Well you’re not a kid and you don’t need a disguise, you can go to your friendly security guy and tell him you have a tool that you’re using to help you make changes quicker and better and it also will help generate compliance reports and prove that you are holding down the fort so to speak.
You might even find yourself popular with your security folks, if you propose the tools SolarWinds provides that enhance security while increasing productivity. SolarWinds products are typically far more affordable than comparable solutions.
Step 3: Oh that dreaded complexity. So your IT guy loves the concept and wants to know when the demo will be. Well that’s where we come in – just download the right product for you and you’ll be up and running in about an hour. Now you do the ‘demo’, but better yet – it’s a demo running in your environment with your data.
That’s it – 3 steps to making security everyone’s business.