What and when to buy: Security products are not problem-solvers

It’s spring.

Winter has been replaced with the promise of new adventures, and new risks to identify. It’s also the beginning of conference and exhibition season — a chance for vendors, developers and integrators to try to influence security professionals that their latest equipment or software will change the way we secure our organizations.

I’ve heard this so often during my career. A conversation starts off with, “Tim, I went to a conference last week and saw this great widget! We absolutely need to buy this, but I can’t get my executives to agree. Can you help me convince them how good this widget is?”

Sound familiar?

I appreciate the skills and expertise our industry vendors and developers display. These folks are amazing with their ability to design a product or solution that can reduce risks to environments, and offer greater service and functionality that we’ve never experienced in the past. I’m not downplaying the role all our vendors, developers and integrators play to help us security professionals protect our organizations.

I’m concerned that some security professionals immediately leap to the conclusion that their organization absolutely needs a new widget, without understanding if the widget will support their business objectives, reduce risks facing their enterprise assets, and provide a practical and pragmatic approach to continually securing their organization.

Purchasing solutions is the last step we should take after we’ve gone through the Enterprise Security Risk Management (ESRM) methodology. If we jump directly to a purchasing decision without doing our homework first, we run the risk of presenting a flawed business case to our executives and may not receive any funding, while potentially damaging our relationships with leadership as well.

The ESRM methodology focuses our mindset on business goals and objectives, and how the assets we have in place must ultimately support these goals. When we assess the risks to these assets, and come up with alternatives to mitigate the risk, we need to be practical in our approach by understanding if our current controls can reduce risks if we actually have them implemented correctly. Sometimes, all it takes to reduce risk is to follow a process that should be in place!

Too often I’ve been involved in projects that went directly to recommending a new widget, only to have the new solution fail because we didn’t do our business homework. We didn’t identify how any new technology or control must still support business objectives, and that installing any new widget requires training, education and awareness along with updates to our existing control framework. Simply installing a new camera system or updating a card access program won’t address risks if we don’t understand how these new controls will support business objectives by reducing risks.

I have seen changes in how we purchase new widgets from the vendor community. I’ve had some great discussions with vendors who wanted to be more helpful to their clients, so they began reading their current or targeted clients online financial statements, or published business strategies. Understanding what your client’s business requirements are can truly change a typical sales discussion into a collaborative assessment of how a proposed solution can address business goals and reduce risks to the enterprise.

I’m not saying don’t go to conferences, or look at buying new widgets. Far from it! What we need to do is focus on the goals of “why” we want to buy a widget, and ensure it has a direct link to business goals while reducing risk. We need to become risk-based consumers, because ESRM isn’t about buying new stuff, it’s about reducing risk.

Tim McCreight is the manager, corporate security (cyber) for The City of Calgary (www.calgary.ca).

This story appeared in the Spring 2019 edition of Canadian Security Magazine.