Let's talk about gaps
In security there’s a reluctance to tell potential customers that we’re not doing something out of fear of losing the deal.
In security there’s a reluctance to tell potential customers that we’re not doing something out of fear of losing the deal.
You’re not hardening your instances to the full CIS standard? You don’t patch every vulnerability within 7 days?
*GASP!*
<Clutches pearls>
In a vacuum, both are great. Fortunately, we don’t live in a vacuum and there’s perfectly valid reasons for not doing either.
When there’s a size mismatch between larger customers and smaller vendors, the vendors feel obligated to say “Yes! We’re very mature! Of course we have a very well tuned SIEM that aggregates alerts! That would be crazy to not have!” and then proceed to try to roll it out because they’re afraid to say they don’t do X.
This draws valuable resources away from where they could have the highest impact and towards controls of questionable value in their unique context.
What can we do about it?
If you are the vendor:
Know why a given control is or isn't a good fit for your organization and be able to convey it effectively. A must-have with 5000 people often can make things worse when you’re 50.
Don't be afraid to pushback and explain why a control doesn’t make sense for your org. Just because it’s on the questionnaire doesn’t mean it’s a deal breaker.
Understand what the upstream concern is and speak to that rather than to the control.
If you are the customer, especially if you’re a large one:
Just by asking about a control, there’s an implication you want it to exist. You can inadvertently get vendors to say they have something out of fear of losing a deal, then spending limited time and budget on a poorly fit control.
A tool or control might make sense for you because there's an entire team to manage it. That same control could take a significant portion of a smaller team’s already limited time with minimal return for that effort.
Rather than ask about controls, what’s the risk you’re actually concerned about? You’ll get a better idea of their posture asking how they’ve addressed the concern vs. asking for a specific control.
Security isn’t one size fits all, let’s stop treating it that way.