It is always with amusement that I receive offers of “free reviews” or “free assessment” when it comes to security.
Invariably the company performing the assessment identifies a fatal flaw in the current architecture and does the Dick Cheney VP selection approach: they magically have the exact solution for the problem they identified and they can help you resolve it quickly.
For what’s worth, in 1999 Dick Cheney was tasked to recommend a VP to the Republican candidate; initially he recommended someone clearly not qualified and then as a perfect solution, recommended himself for the role. He ended up being VP for 8 years.
Even if you insist with the security vendor that (1) the problem is not that important or (2) you already have tools that cover 90% of the risk, they try to convince you that the extra gap is worth the cost and they are the only only one to resolve it.
Very rarely you have someone actually help mitigate the entire risks you have – essentially carve out security as a service.
So what is one to do ? This area is well established and not overly complex – it’s fundamentally a risk management exercise:
- you identify what you have as a source of risk (assets) – this covers both technology but also non-technology like intellectual property
- you identify the risks (what could go wrong)
- you quantify the risks (if something goes wrong, how much will it impact you)
- you do something about the risks:
- mitigate (fix) them
- transfer (get insurance)
- ignore them
- or a combination
This is a well established strategy that works all the time, and it’s the basis for all security assessments, and certifications. Without a clear understanding of your risks, a technology solution may or may not be relevant to you.
Unfortunately, in the real world, law firms have a mish-mash of tools acquired with other solutions or because of vendor interactions; but ultimately if there is a problem, what matters is whether the right process was followed. You will be judged on taking a proactive and rational approach to solve security, not whether you solved all possible threats ever available (rarely possible).