I have been waiting for quite a while to write something about my experience with vendors, MSSPs and consultants. This is my own opinion and is not targeting any specific entity. I have worked with multiple vendors, MSSPs and consultants and what I have always noticed is, the “OUR” attitude. I do understand they are here to make money and sell their services/solutions, but there is nothing wrong in sprinkling it with some honesty.
- Vendors – Buy our products and you will be safe.
- MSSPs – Subscribe to our services and you will be safe.
- Consultants – Implement our recommendations and you will be safe.
We all know once you are connected to Internet eventually there would be someone to target and successfully gain access to your systems. Its not about ‘if’ its about ‘when’ (SANS GCIH). There are no “PERFECT” systems. There are ways to access air-gapped systems too. But this is beyond this article.
I see, Vendors are for detection and prevention – MSSPs are more reactive – but lot of customers and few eyes and sometimes those eyes are not much experienced – Consultants – How many consultants have actually used the product that they are endorsing/recommending – wouldn’t it be good if they are recommending a product/solution that they have actually used.
This attitude is one of the many reason why organisations get breached – ofcourse security awareness and correct implementation of security controls is also required – but imagine, if all three work together and provide honest, correct and pro-active solutions to customers, it would be a completely different picture. Also, organisations need to heavily invest on people. Lot of organisations are relying on outsourcing their security, and completely depending on them. This concept is wrong and every organisations should have security team with expertise in multiple areas internally to have additional eyes on the organisation.
Understand, our adversary – CYBER CRIMINALS – work as a team and with a strategy and we should too.