Dark Reading's Top 10 IT Security Myths Demystified - Part 2

Getting back to Dark Reading's Top 10 IT Security Myths (link here), lets take a look at the next two.

Myth #3: Vendors Have Your Best Interests in Mind (link here)

The primary goal of a security company -- like most other companies -- is to make money.

You would think this one is totally self-evident, but it's not. I can't tell you how many folks I talk to that really believe their security vendor is trying to help them. Well, to be fair, they are. But when it comes down to it, "help" is a funny word. If help means they can sell their product, then they are all for help.

But at the end of the day, let's be clear that the role of the sales person (and the SE and the support person) is to feed their family. And they feed their family by selling stuff to folks like YOU.

The best IT sales people I've met do truly believe they are helping their customers, which is a good thing. But again, remember they don't get paid until you buy something. And it's their job to convince you that you need to buy what they are selling right now.

I think most of the rest of their explanation is crap. Vendor's don't try to create more complexity for you. Though many do trade on fear. Fact is, more "constructive" positioning of security technology has failed miserably during the years. Security is like insurance, you buy it because you have to, not because you want to. That hasn't changed in 15 years.

I also don't believe that most end users "manage their vendors." I haven't seen that. Some users know how to buy stuff, but they are in the minority. Most react to a certain mandate, incident or something else that creates a buying catalyst. Then they buy whoever comes in the door first with something that will solve the problem.

I give this myth-buster an A, but once again I think they are exactly right but have a hard time telling the readers why.

Myth #4: Seperate Physical, Electronic Security (link here)

But the vendors that sell you physical security systems and those that sell IT security have little to no overlap. Organizationally, physical security is often handled by the facilities department, while computer security is IT's domain.

It is true that in most cases physical security and IT security reside within different organizations. It's also true that most attacks involve both trying to compromise the physical, as a way to access the electronic.

But I don't buy that you need to attach the two at the hip to be effective. The disciplines are very different and the only link I really see is training. Your receptionists need to be able to detect social engineering attacks meant to provide the bad guys access to your facilities. If those folks can adequately block those attacks, then you cut off a HUGE part of your electronic vulnerability. If not, then you are open season for bad guys.

But are there tools that help people leverage the two? Not really. Do you need them? Again, not really. I tend to subscribe to the school of thought that if it was important, someone would have already thought of it. In fact, lots of people have thought of things that are just not important. 800 security companies proves that every day. Both of these disciplines (physical and electronic access control) have been around long enough that if it was a good idea to integrate the two, customers would have bought it. To date, they haven't.

Maybe I'm being naive here, but I have not had one person ask me when physical and electronic security are going to be merged. Maybe I don't hang out with enough physical security folks, but still. I just don't there there is enough leverage to warrant what would require an archtectural overhaul of either electronic or physical.

This one gets a D.

Two more tomorrow...