Do all vendors underperform, security-wise?


2014-06-19, 13:17 Posted by: bengt.berg@cybercom.com

Do all vendors underperform, security-wise?

I've heard it thorugh my whole career: ERP systems vendors don't care about security. SCADA vendors don't pay attention to their role in society's core infrastructure, putting whole nations at risk. There just isn't enough logging in any cloud services to provide any benefit to the organizations running them. Consultants that write web applications make them vulnerable to SQL Injections.

When the traffic moves against you in your lane, it's time to stop and think. 

It might be that your organization's procurement methods encourage poor security. 

Let's say that you want to buy a car. You buy a car from the lowest bidder. You get a  Skoda with a driver seat airbag. But you needed a 12-airbag Volvo car, didn't you? 

That sales guy should have known, right? He should have risen to the occasion, right? He should have understood that there should be 12 airbags in a car to protect your whole family, right?

And he should have done it without adding anything to the price tag, don't you agree? 

TANSTAAFL

"There ain't no such thing as a free lunch".  It is true for you, and it's true for your vendors. It costs more to develop secure solutions, no doubt about it. It might be good business to do so, but from a vendor's perspective it's seldom so. It's a tragical truth. 

Because of procurement laws for the public sector, and because of internal regulations in large companies in the private sector, customers are often required to buy the cheapest solution that complies with all the requirements. In other words: if you haven't defined your requirements on security, then you don't have the possibility to pay for them.

Let's move onwards in this causality chain: if the vendor implements security on their own intiative, then they have to pay for it from their own margin. Or, as an alternative, they may chose to raise the price and risk losing the deal altogether because some other vendor left out the securit parts and offered a lower cost. 

Ergo: if you don't define security requirements... all of them... then you give a strong competitive advantage to vendors that create insecure solutions. 

Don't hold your punches!

If you want secure solutions to be delivered to you, you need to set the requriements straight. Whenever you think something is obvious ("of course the system has a backup solution attached to it") you need to set that expectation in writing. Make it a requirement. 

The companies that like to do secure solutions will love this, because it levels the playing field. It will no longer for a competitor that doesn't care about security to place a winning bid by leaving out the stuff that any honorable vendor would include in the offer. 

When you do this, you will eventually have eradicated the commercial pressure your own organization have put on your vendors to provide insecure solutions. Traffic will no longer feel like its moving against you, in your lane. 

Let's pause at that thought!

I look out the window. It's 13:52, june 19th, 2014. Midsummer traffic has already started, I can see it through the office windows.

When going away for this weekend, drive safely and use a safe car. And when you come back from your summer vacations, make sure that all the IT solutions have their security requriements so well defined that it just isn't possible to duck them. You will get secure solutions. 


comments powered by Disqus