You can do more with a single well configured IDS or Log Management product that provides real value, than a garbage truck worth of security appliances sold to businesses in the name of “defense in depth”. Businesses spend inordinate portion of their budget on security products, but pay very little attention to how they use those solutions. Anyone that has an IPS system serving as a doorstop or a SIM collecting dust on a shelf should consider drastically changing their approach. Find a solution that may not have as many bells and whistles but is easy to deploy and easy to use. SaaS solutions tend to fall into this category, but there are plenty of capable traditional solutions as well. Then spend the remainder of your budget making sure your staff are ready to respond to situations that contribute the business risk.

A single security admin that pays attention to one product will be infinitely more useful than a whole security team overwhelmed by a dozen sources of data that must be analyzed every day.

Compliance is certainly strengthening the overall security of organizations worldwide, yet we are still plagued by a variety of security risks. What should the CTO pay special attention to?

I don’t expect that to change – security risks are a fact of life. They will continue to evolve and will always be a factor for any business. There are two things I’d recommend for every CTO and CIO out there:


1. Don’t assume that SANS or PCI Council or Bruce Schneier can tell you what your top risks are. Risks are always going to be unique to your environment and depending on the business you are in they may not even be entirely network related. Focus on risks that have the most impact on your business, otherwise you will always be chasing your own shadow. Analysis of top risks affecting your business should be a regular process in your ongoing business planning. Get your organization used to the idea that managing information risk is something as natural as planning your budget.

2. I’d pay special attention to the readiness of your security team. While I do not believe security should be managed internally, there always has to be an internal team that understands security, technology and your business. Companies that use MSSPs are especially sensitive to this – often outsourcing is seen as a green light to drop your guard. Truth is that in a triage situation, when fast response and well thought out action matters, no service provider can really be a surrogate for well prepared staff. Only the people who can truly understand business risk should handle response to critical situations. Have the roles assigned, procedures reviewed and incident response plans tested before something happens. Make sure the communication, command and control paths are crystal clear. This could mean the difference between full breach or data leak, or a close call.

With the constant evolution of threats, what kind of technology challenges does Alert Logic face?

Integration with other vendors and data sources is right at the top of the list. The software-as-a-service model opens up very unique opportunities that security products have not began to leverage. Everyone knows what mashups are – you take a Google map and blend it with LinkedIn. It’s not rocket science. But what if you could do the same with SaaS security products? Geolocation, reputation services, identity awareness come to mind. Possibilities are endless.