Why does your organisation buy enterprise security software?

The answer might seem obvious, but it's not.

I had a very interesting chat with Eurekify founder Dr. Ron Rymon the other day about a multitude of things including the GRC market at large as a follow up to my post last week regarding CA. One thing I didn't mention was CA's agreement with Eurekify to resell their Enterprise Role Management product, but you'll find it within the comments in response to the post. Ron also reminded me that Eurekify has a GRC solution offering of their own. A lot of people think of Eurekify as just a role management company because that's what they're best known for. Eurekify specific discussions aside, one of the things we spoke about was the various reasons behind why organisations buy GRC software. This got me thinking a little more, which brings me to the point I'm trying to make.

I went into some amount of detail about approaches and drivers to GRC but one thing I didn't talk very much about was the reality of the situation in some organisations and their attitudes towards security related activities (I'm including compliance here). I've found in my experience that it is the attitude and corporate culture that will ultimately determine if a particular piece of security software is the right solution for the organisation from a decision making and purchasing standpoint. If you are the sales guy, you need to very quickly qualify the opportunity as follows:

1. Is the organisation interested in implementing a security solution to solve real business and IT problems or do they want to "tick check boxes" within a form so they can satisfy specific audit requirements?
2. Is the software product you are selling a tactical or strategic one?
   

Most sales guys will answer question 2 by saying "of course my solution is a strategic one!". Don't kid yourself. You know what it really is so you need to sell it accordingly. I should probably explain the difference between a strategic and tactical software product:

• Tactical - typically a point solution that does one or two things very well. e.g. an encryption product.
• Strategic - a platform or infrastructure solution that solves a larger, high level issue that is of business significance and affects more people (or parts of the organisation). e.g. an Identity & Access Management suite.
  

Taking a very simplistic view in this case, your qualification matrix looks like this:

	Tactical	Strategic
Solution approach	need partners	in
Tick check boxes	in	out

If you are selling a tactical solution, your best bet is to go for organisations trying to tick check boxes that the auditors said to tick. e.g. an auditor might say "if you encrypt all your disks and superglue all your USB ports rendering them unusable, I'll tick the PCI-compliance box for your organisation". If you are selling a strategic solution, go for the organisations that actually want to address an issue properly and more holistically. In other words, they are more interested in proper security. That's not to say you can't go for the strategic sale if you have a tactical solution. You just need to partner with the right vendors to give the organisation a "best of breed" solution.

The thing we need to examine is why so many organisations think ticking check boxes = good security? I'll talk about that another day. I've already written one long essay this week.

For now, ask yourself:

1. If you're in sales - are these guys ticking boxes or addressing security?
   
2. If you work in an environment that buys software - do we tick boxes or do we address security issues?
   

It'll save everyone a lot of wasted time and money.