Security has always been an area prone to the purchase of snake-oil. Security is viewed as a black-art by those outside of our community, a view that’s often exacerbated by commercially motivated spreading of fear, uncertainty and doubt. Even inside the security community, few people really understand how the bad guys work. This lack of knowledge often leads to the purchase and implementation of a glut of inappropriate technology solutions that do little other than enable the purchaser to tick some relevant compliance checkboxes. Think of the number of organisations that have stateful inspection firewalls and Intrusion Prevention Systems and then proceed to allow encrypted SSL communications with their backend systems. For the non-techies out there, this is a problem because it means that your inspection tools cannot see inside the encrypted network packets to judge whether or not they are malicious. Your controls are therefore blind and allowing potentially nasty traffic inside what you thought was a secure perimeter. However, it’s likely that this is not seen as a major business issue by the board because you have likely ticked the relevant compliance check-boxes. This is a good example of why compliance and security are, and must be recognised as, separate disciplines.
Security must be dealt with as a business issue and not relegated to a mere technology issue. Understanding the genuine risks to your business requires an informed discussion, ideally between those who understand the risks that the business can tolerate and those who understand, and can articulate, the risks likely to be faced. Once the risks have been identified, you can use these risks to feed into your security architecture so that you ensure that the security services you buy or implement address the risks that the business is not prepared to accept. Technology can help to deliver these security services but it’s important to note which of the security services your technology choices can deliver and which they cannot! A firewall is not the be-all and end-all. Indeed, sometimes technologies can introduce new risks that were not present beforehand – consider the example of the conflict between encryption and monitoring discussed above. To make matters worse, it’s not as though firewalls and Intrusion Prevention Systems are foolproof in any case… (see http://www.infosecurity-magazine.com/view/31984/ips-needs-to-become-more-aware-of-advanced-evasion-techniques/ for example).
Now, security technologies can help to deliver important security requirements, and they are critical to delivering certain security controls, but there is no magic technology that will fix all of your security issues. If your security advisor is proposing a technology-led approach rather than a business-led approach, consider carefully whether you are chasing compliance or chasing security. Then make an informed decision as to your best way forward.