All security products are good

I tried to be a bit click-baity with my headline by saying all security products are good. But I think I failed in making it very enticing. That’s typically a problem with click bait, if you don’t go big, you don’t really generate a ton of interest. And if you go too big, then you end up looking crazier than the naruto runner outside Area 51.

I was reading something by James Clear, author of Atomic Habits which said,

“Your time is better spent championing good ideas than tearing down bad ones. 

The best thing that can happen to a bad idea is that it is forgotten. The best thing that can happen to a good idea is that it is shared. “

It’s such a good articulation of why it’s such a waste of time arguing about which strategy works best in cybersecurity. Because most things do work depending on your needs and you capabilities.

Sometimes endpoint security is the better choice compared to network security or vice versa. Or sometimes there is benefit to investing in preventative controls as opposed to detection and response.

When I was an industry analyst, many times startups would use the time in the briefing to put down their competition. It was a terrible waste of time because at the end of the call, I’d sometimes have no clear idea of what they did, but a far better understanding or appreciation of their competitors.

A lot of security products are good. What I mean by good is that they have a particular function, and to a lesser or greater extent, they do achieve that. And if they don’t achieve that for you, or your organisation, then that doesn’t mean they’re totally useless to anyone.

There are probably two main questions buyers should be asking:

1. Does this product solve a need for me? Have I looked at my threats and thought that this particular technology will help in that regard? If so, then proceed to step 2.
2. How does this technology compare to other comparable products in terms of performance, pricing, country of origin, support, and all those kinds of good things.

How we answer 1 will help determine 2. For example, if you’re only looking for a tool to tick the compliance box so the auditor will leave you alone. Then by all means, pick the cheapest, easiest to get hold of product and smile gleefully as your QSA hands in their visitor pass.

Now, the comparison part gets tricky at times. Sure, you have magical waves and shapes by analyst firms which tell you how they think products compare, but their criteria is probably different from yours. So, peer reviews are probably a better measure, or if you have the time and resource, running a test can be useful.

But I digress, I didn’t intend to turn this into a discussion about how to evaluate and buy products.

Reflecting back on the James Clear quote – I think it’s important to remember that for most security professionals and vendors, we’re in the same game. To better secure organisations and individuals. We may go about it in different ways, and we may believe one way is superior to others. But putting down others won’t help our own cause.

Feed the good ideas and let bad ideas die of starvation.