Using threat modeling to select and justify security purchases

Hot humint straight in from the field of data security.

I don’t have Symantec’s marketing budget and head count or  Gartner reports telling me  that enterprise concerns about high impact data loss events are up.  By my clients, data security awareness is up, but budgets are down and out.

I think that vendors with strong data security products like Fidelis Security (network DLP), McAfee and Verdasys (agent DLP) are making a mistake by trying to sell on the strength of their customer base and feature set alone. Sure – vendor stability and features are important – but in this market, most CFOs think that buying more IT security is like buying a new $50,000 SUV from GM to get to work, when what you want is a second hand $1,000 road bike  from Merida.

The key criterion a customer needs for choosing an IT security product is whether it mitigates threats to their business (their business, not VISA or JP Morgan or Vodafone or the US Army).

Selection of IT security countermeasures requires measuring their effectiveness against a particular threat. It’s a lot easier to make a decision  if you don’t get distracted with comparing product features on paper. I’ve implemented an example in a Practical Threat Analysis threat model for fun – you can download the IP Protection threat mode here

You will need to download and install the free risk assessment software first on a Windows PC (sorry it doesn’t work on Ubuntu yet – that’s in my plan for later this year if I end up with too much free time on my hands)

Related Posts Plugin for WordPress, Blogger...
Tell your friends and colleagues about us. Thanks!
Share this

Leave a Reply

Your email address will not be published. Required fields are marked *