OK, so this isn’t quiet as relevant today due to the economy as it was a couple of years ago but it still goes on. A CXO is reading a technology publication or talking to a friend in a similar position with another company or just got back from a conference and now they want “Technology X”. The newest, coolest technology toy on the market. It will solve all of their problems or at least give their ego a boost. Now they can brag about how their company is using “Technology X”!

The problem is that “Technology X” does not solve a relevant problem that they company has. This has been going on for years and is the nightmare of many a security professional. I’ve been preaching this for years and today I ran across a good posting from Thomas Nicholson on this very topic. His title is right on “It’s about the data not the technology”. What we are protecting is the key here not the technology we are using. There are lots of different technologies that protect data and systems and they all have their good and bad points. Most all of them claim to be the best in “Catagory X” but rarely do any of them really measure up to what they claim. Our solution shouldn’t be based on a technology it has to be based on the data that is to be protected.

My last employer bought a boat load of technology from a vendor that still has yet to be deployed because it wasn’t what we needed. In many cases it wasn’t even usable in the network because of incompatability issues with other technologies. They didn’t do their homework and got sold a bunch of stuff that turned into expensive paper weights. All because it came from s noted vendor and the vendor was able to convience them that it would solve their problems. As Thomas put it “They didn’t ask the right questions” and they didn’t ask others for their input in the decision.

There are those who know the right questions to ask but often they are left out of the conversation. Sometimes because others don’t know that they are not asking the right questions and sometimes because they don’t want to know the right questions. We do have to get everyone else on board with asking the right questions. How we do it will vary depending on your personality and the organization that you work with. The right questions come from more places than just management, the IT team or the security team. They also come from the end users. We have to engage them in the conversation if we really want to know what will work. Not that they will be able to give us a recommendation on a technology or solution but because they will tell us how they work and what they do. These questions need to be top priority in designing our solutions.

I can’t talk about this topic without mentioning someone who, in my opinion, is the King of asking the right quesitons. Michael Santarcangello, The Security Catalyst,  has build a whole security culture out of asking the right questions. He firmly believes and has proven that engaging in conversations with the end users will give you insight beyond what you could ever imagine. He has helped shape some of what I know think regarding this and if you are interested in learning more about this that you engage him in some conversations of your own. (Sorry for the ad, but when talking about this topic I have to mention him).