In-Depth

Careers: Are You a Security Conservative, Gloryhound, or Gambler?

The security solution you choose has important implications for your company and your career.

• By Rich Weiss
• 02/09/2005

Sooner or later, you'll be faced with this choice: deploy a mature and proven security product now, take a risk on a new technology that might be superior, or wait for a copycat product that a giant vendor promises to deliver in the future? A lot rides on that decision -- so much that you may need to consider the implications for your career.

You know that the evolving threat environment demands that you make a decision. The correct choice will keep your employer happy (and may, as a consequence, accelerate your career progression). The wrong choice could have unfortunate consequences for your employer and yourself.

The "Safe" Choice

The most conservative decision, of course, is to adopt standard technology from a large, financially stable vendor. Among the advantages of this decision:

• You're likely to get a mature, proven product that you can deploy relatively easily. Most of the critical bugs have been worked out, and experienced professional services firms are available to help resolve issues. If something goes wrong during implementation, it can probably be fixed without extreme pain. In any case, you're less likely to be criticized since you chose a name-brand vendor.

• The product probably delivers its advertised benefits. Enough customers have already used the product that you can find out fairly easily what it does and does not do.

• If you're already doing business with the large vendor, you know the best way to deal with them. You may also gain benefits such as automatic integration of the new product with their management system or other security products.

While that's a fine set of benefits, consider the one potentially severe disadvantage of this "safe" choice. If the black hats come up with new attack techniques that get around the older technology you chose, your decision may not look nearly as good. And depending on the severity of the damage caused by the new exploit, you may find that the "safe" choice wasn't so good for your career after all.

The Hotshot Play

If you're a moderate-risk taker, you may instead pick the newer technology from that hot startup (after a careful and thorough evaluation, naturally). Theoretically, there are two reasons to make this decision:

• The newer technology really will protect your organization much better than the older alternative, and you'll avert the costly security breach mentioned above. A recent example of this phenomenon was the ability of desktop firewalls to mitigate the damage caused by the worms that evaded antivirus and IDS defenses.

• You'll be recognized both in your own company and possibly in the industry as an innovator who has proactively protected your employer against current and future threats. You may even become a hero if your company withstands, say, a new worm outbreak that takes down the networks of less-prepared firms. Rapid career advancement may follow.

The lessons of the recent technology bubble make the downsides of this choice clear:

• The vendor may grossly overstate what the product can do, the solution may be next to impossible to implement, or the vendor's cash may run out. If the vendor has either no track record or a record of difficult deployments, or its financial state isn't verifiable, the risk of choosing them is rarely worth the reward.

• Failed "risky" projects tend to put their sponsor's career advancement on hold (or worse). Sponsors of these projects usually have to put their reputation on the line to get them approved, so project failure may reflect directly on their judgment.

The bottom line: you didn't get the benefits you paid for, and you suffered mightily for the privilege.

The Long-Term Gamble

Every experienced security professional has seen this scenario: a smaller company (usually a startup) launches a groundbreaking new product that has the potential to set a new standard. In response, the 800-pound gorilla vendor in that market announces, "We'll have even better functionality than that -- Real Soon Now. Just wait for us to ship our version. You'd rather choose an impressive, established company like ours, wouldn't you?"

The third option -- waiting for the 800 lb. gorilla to deliver on its promises -- involves the most interesting set of pro's and con's.

The advantages include:

• You and your staff buy time by postponing the justification of budget proposals, giving your staff another project, or generally spending significant amounts time on the issue.

• As with the "safe" option, above, your choice of a big name vendor might minimize management second-guessing.

Those pluses sound very compelling until you think about what can go wrong:

• While you're waiting for the gorilla to deliver, a new exploit hits your organization and causes substantial damage. Explaining to your management why you did little to defend your firm while your industry peers took action will be awkward. For example, one current decision facing many security managers is whether to wait one to three years for Cisco or Microsoft to deliver on promises of PC network access control (i.e., the ability to deny access to any PC that isn't running up-to-date antivirus, doesn't have a desktop firewall running, etc.). This functionality is currently available from other vendors, so waiting for vaporware to become a mature solution could prove costly in the near term.
• As the gorilla's schedule slips (or evaporates entirely), it becomes increasingly likely that the missing security will result in a costly breach. It also becomes increasingly hard to justify why you procrastinated while technology to defend the enterprise was already available.

A Fourth Option

No one decision works for everyone. The correct choice depends upon your organization's culture, your tolerance for risk, and the technology in question. In some cases, however, there's a fourth option that may offer the best risk/reward ratio to most security managers.

If the newer technology you're considering is sold by a big, stable vendor that shows it innovates like a startup and offers similar security advances, you can minimize purchase risk while keeping up with emerging threats by choosing their offering. You'd get protection against the newest, most sophisticated attacks, and you'd also be confident that the large vendor's greater resources, experience, and support programs would greatly increase the likelihood of a successful implementation. There's relatively little downside associated with this choice, as long as the vendor is a proven security innovator.

This "best of both worlds" option isn't always available, but when it is available it makes your decision much easier. Always look for a vendor that fits this profile before choosing an approach that involves a tough set of tradeoffs.