Three Words to Describe Enterprise Security

Wednesday, November 16, 2011

Rafal Los


We Information Security professionals are a cynical bunch.

I asked on Twitter for some of you to reply to me, answering the following question:

"Describe Enterprise Security" in 3 words, add the #EntSec hashtag to it. And you probably wouldn't be surprised what sorts of things people replied with.

The List

Here's a list of some of the most interesting answers:

  1. "lack of funds"
  2. tactical, overwhelmed, undefined"
  3. "frozen in 2003"
  4. evolving, broken, compliance
  5. misunderstood, under-appreciated, compromised
  6. appliances, applications, misguided
  7. "cover executive a**es"
  8. governance, visibility, structure
  9. collaboration, prioritization, strategy
  10. triaging, fighting, futility
  11. prevent, detect, learn
  12. detect, prosecute, repeat
  13. "perception trumps truth"
  14. unmeasured, unfocused, unwilling
  15. "immature data science"
  16. "responsibility without authority"

The whole list (which is still growing) can be found here:

If you wish to contribute, just reply to me (@Wh1t3Rabbit) on Twitter, with the hashtag #EntSec ...


I don't think it takes a rocket scientist to analyze what is going on here. 

We're cynical.  We're sick of vendors selling our management on solutions that don't actually solve anything, and tend to continue to cram our network closets and data centers with devices we can't hope to manage. 

In fact, many security professionals and information security management alike are getting fed up with vendors who don't take the time to understand the issues they're facing - and simply to to sell, sell, sell... If you want evidence take a listen to Episode 4 of "Down the Rabbithole"...

I have 2 guests who are security managers at very small companies, listen to their advice to their vendors (link here).

There is another side to the coin, and I think this means opportunity.  For every negative there is a chance to fix it, and I firmly believe that not all vendors are created equal. 

I think plenty of us vendors listen to our customers, and attempt to provide actual solutions once we've taken the time to identify a problem.

Let me propose a step forward, then.  Vendors - let's make sure we understand our customers.  Consumers - please take the time to articulate what struggles you have, what makes work-life difficult, and the true nature of your security problems

I think too often consumers of security products and services are so careful not to disclose anything, that they don't give the vendor a chance to understand them better. 

Yes, this means I'm blaming both sides, almost equally.

Let's raise awareness together, and start solving some actual problems.  It's crystal-clear we can be cynical... but can we actually make some lemonade here?

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Management Infosec Consumers vendors EntSec
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.