Is that true? Is security really any more complex than other IT disciplines? More so than virtualization? Or AI? No, it’s not. It is different.
I ask this question of myself, as much as whatever audience reads my blog, because I’ve encountered this for so long at different companies where security is a subset of a larger portfolio of products. The argument is that security is too complex for sellers. Subsequently, additional skills are needed to assist the seller to close the deal. That part might be true, but sellers should have the confidence to begin a security discussion on their own.
I found this argument especially ironic when I returned to work for a telco. In my mind, telcos invented security. I was a firewall admin in 1994 when some AT&T gentlemen, Cheswick and Bellovin, published Firewalls and Internet Security: Repelling the Wily Hacker. As a firewall admin, that was my bible. I can speak first hand just how deep the security skills are at telcos. Still, the sellers there, as much as anywhere else, tell me they find security complex.
There are two reasons sellers perceive this. One is the specifics around deploying a security policy. The other is culture.
A telco seller slinging circuits encounters many complexities in the turn-up of his or her set of products. Very often they are coordinating the activation of an MPLS circuit – which they might call IP VPN. A product name that drives some security people nuts and could be a topic for another blog. Back to point, the seller might attach a managed firewall deal with the circuit, and have it provisioned to include an intrusion prevention system.
The complexities associated with tuning firewalls and intrusion prevention systems could be true for the security policies with other security tech, but FWs and IPS are examples I’m most familiar with. Ideally, the implementation process will take three weeks. Could just as easily take three months though, after the turn-up of the circuit, before the seller can commence billing on the deal. Why is that? Security must be more complex.
The issue is that customers don’t always understand their environment. They don’t know all the valid applications communicating to and from their premises and the Internet. Implementing a security policy that blocks all traffic not explicitly allowed is a discovery process. For the seller managing the customer relationship, having to explain why the IPS pattern-matched their nightly data backup routine as a DoS attack, security is complex.
I’m theorizing more on the culture aspect, but I believe it’s equally responsible for the perception of security complexity. There are two types of security experts. Chris, who served in the military in Signals Intelligence, advanced to special forces, then transitioned to the commercial sector with a stint at the NSA before joining a major MSSP, represents a formidable talent. The Colonel Flag type, he could tell you, but then he’d have to kill you.
The other type is Jen. Her office bookshelf is stacked with technical journals and her Goodreads bookshelf is also ninety percent nonfiction. She dresses in khakis and a white button-down. The Cult-of-the-Dead Cow Type can recite the baud rate of every modem she ever used for her CompuServe subscription before the Internet was a thing.
Chris and Jen might not attend RSA, but they never miss BlackHat or DefCon. They learned their tech the same as everyone else, on the job. But they spend extra cycles reading SANs security newsletters, and listening to podcasts like Security Now and Colorado=Security.
Chris and Jen belong to a community. You see this in some other industries, but it’s rare for other IT disciplines. Even the programmers’ groups on Reddit are half made of these security experts. Disaster Recovery experts don’t meet up on weekends to shoot guns at the range.
This community isn’t impossible to join. Chris and Jen drink beer and are as socially inclusive as database architects. But security is more than just a job to them. A career might be the correct word, I feel there might be a better one. There’s a reason Chris and Jen are experts.
Since I’m taking liberties with stereotypes, let me say that Sellers listen to podcasts more than any other humans. Consider listening to one of the two I linked above. You’ll find the content engaging. And be comfortable starting a security conversation with your clients. Let them know you have Chris and Jen on your team to take the discussion further. It’s not hard.