When Mike was reviewing the latest Pragmatic Data Security post he nailed me on being too apologetic for telling people they need to spend money on data-security specific tools. (The line isn’t in the published post).
Just so you don’t think Mike treats me any nicer in private than he does in public, here’s what he said:
Don’t apologize for the fact that data discovery needs tools. It is what it is. They can be like almost everyone else and do nothing, or they can get some tools to do the job. Now helping to determine which tools they need (which you do later in the post) is a good thing. I just don’t like the apologetic tone.
As someone who is often a proponent for tools that aren’t in the typical security arsenal, I’ve found myself apologizing for telling people to spend money. Partially, it’s because it isn’t my money… and I think analysts all too often forget that real people have budget constraints. Partially it’s because certain users complain or look at me like I’m an idiot for recommending something like DLP.
I have a new answer next time someone asks me if there’s a free tool to replace whatever data security tool I recommend:
Did you build your own Linux box running ipfw to protect your network, or did you buy a firewall?
The important part is that I only recommend these purchases when they will provide you with clear value in terms of improving your security over alternatives. Yep, this is going to stay a tough sell until some regulation or PCI-like standard requires them.
Thus I’m saying, here and now, that if you need to protect data you likely need DLP (the real thing, not merely a feature of some other product) and Database Activity Monitoring. I haven’t found any reasonable alternatives that provide the same value.
There. I said it. No more apologies – if you have the need, spend the money. Just make sure you really have the need, and the tool you are looking at really delivers the value, since not all solutions are created equal.
Reader interactions
3 Replies to “You Have to Buy Data Security Tools”
Rich,
Have you reviewed the new data loss prevention vendor – Prevensys (www.prevensys.com)
I tend to agree that we shouldn’t feel bad for telling someone they need to spend a little money to do things properly.
One thing I always like to point out though, is that buying security tools is not enough. Many people/organizations assume that just purchasing, and doing a vanilla install, is all they need to do so they can sleep safely at night. More realistically, one must spend time properly configuring, tuning, and monitoring these tools or it’s just throwing money away.
One thing I’d add to this Rich is the need to prioritize. A lot of companies “have the need,” but ultimately have to make tough choices about what gets bought and what doesn’t.
It always gets back to prioritizing what’s important based on the business drivers and needs. Maybe it’s a new perimeter defense widget, maybe it’s data discovery, maybe it’s a WAF.
As long as everyone remembers to do their homework on making sure budget realities reflect business needs (and more importantly expectations), it’s all good.