What do administrators really want in security tools? At a security
conference in New York City, customers pointed to auditability,
flexibility, usability, and most of all, vendor responsiveness.
“There are a lot of vendors out there pushing products,” said Carl W.
Eyler, CIISP, VP and IS officer at Banco Santander Central Hispano. “(But)
does it fit my organization?” he asked. “The problem is that (toolmakers)
are not out there in the trenches.”
Audibility is a key requirement, according to Eyler. “Do I know who my
users are? Who has an account? Has someone plugged in a rogue machine on my
Tools in categories like user management and patch management can confuse
the issue, though. “Is (auditability) a security problem, or an IT
problem?” Eiler inquired, in a panel session at Computer Security 2002, a
conference sponsored by the Metro NY chapter of the Information System
Security Association (ISSA).
Software applications of many sorts are deficient in security, Eyler
suggested. “Often, security is just an add-in,” he said. In particular,
Eyler cited a Web portal product that doesn’t let end users set their own
PINs (personal identification numbers).
Security pros and corporate IT auditors “ought to be pressing vendors to
make all software more auditable,” contended George Hertzberg, panel
Chester M. (“Chet”) Winters, another speaker, urged ease of use,
flexibility, and scalability. Many software products today produce “audit
trails that no one could disseminate, or even use,” charged Winters, a long-time
security manager who is now executive consultant for Data Day.
“If those logs don’t allow you to see where the POC (point of control)
broke down, they don’t do that much good,” Winters added.
By and large, software packages are getting more flexible, Winters
admitted. Especially important, however, is the “ability to change the
security, with mergers and acquisitions, he said.. “What happens if I (now)
have 10,000 to 15,000 users?”
Administrators need to be able to set detailed profiles, too. “More and
more software is role-based. How far down can you go?” Tools should offer
“depth as well as breadth,” he maintained.
Many software vendors “overkill some aspects (of security) and underkill
others,” Winters continued “Very often, you need to go out and buy a second
package for manageability.”
“Don’t let the vendor sell you a security product. Buy it from them. Tell
them (your) requirements,” he told the audience.
Alex Consilvio of RSA Security, Inc. bounced back with a vendor’s
perspective. Vendors know it’s in their own best interests to serve
customers’ needs, according to Consilvio. “We don’t want to just sell you
‘whatever’ product and then split. It just doesn’t work that way.”
Users need to tell vendors about their business problems and environments.
“I want to know your requirements,” he elaborated. Vendors like to provide
solutions. “We don’t just want to sell you a widget and then, ‘See ya
Consilvio acknowledged, though, that vendors do operate under “a whole set
of constraints.”. Vendors typically have “procedures in place” for making
enhancements to products. “As vendors, though, we only have limited
resources to R&D.”
Some changes in functionality might even require rewriting an entire
application. As a result, decisions about product enhancements are often
based on degree of customer demand, according to Consilvio.
Customers and vendors need to engage in “constant communications” around
auditability and security, according to Hertzberg. “Both have an obligation
to participate” in the dialog. Hertzberg also suggested that smaller
customers can gain a lot more clout with vendors if they band together in
For their part, administrators should also stay on top of their companies’
organizational cultures and business problems, the panelists agreed.
“Organizational culture determines what kinds of usability features are
required,” Winters noted.
What should users look for in choosing a security vendor? Vendors should
“come in with a vision,” he said. Products should be “policy-driven,” to
help customers meet business needs. Good documentation is essential.
Even more importantly, though, vendors should have adequate cash flow –
either through long-term profitability or VC (venture capital) money – to
meet customers’ ongoing needs for product support, according to Winters.
Who should get involved in choosing products? In many organizations,
security is still a relatively small part of the IT budget. “(But) it is a
portion of the budget. The key is wise expenditure,” Winters advised. In
large companies, “IT audit and security people (should) get a good working
If vendors ally with security managers and auditors, “We’ll be instrumental
in saying to the CIO and the (IT) people in charge (of purchasing), “This
vendor is more interested in auditability. So we recommend that you at
least take a look,” Hertzberg said.
Hertzberg is currently the director of two generic user groups: the
Security Users’ Partnership (SUP) and the Computer Assisted Audit Tools and
Software Auditability Users’ Partnership (CAATSAUP).
Vendors are well versed in working with both security managers and
auditors, according to Consilvio, who is RSA’s senior territory manager, NY
Metro eMerging Markets. Often, security vendors are called in after a
company has failed an audit. “So we engage the auditors very early on,”