Here’s the scenario: a firm purchases a security solution. The firm skimps on professional services and/or rushes the schedule on implementation and/or neglects to maintain the product properly.
Do not be surprised when, one day, that security solution does something that results in a system-wide outage:
Fig. 1: System-wide outage
Why were those decisions made? Because professional services, longer timelines, and proper staffing/coordination are all costs, and we demand better return on investment!
The problem is that many security systems have the capability to shut down the entire network, or kill access to PCs, or other stuff that, well, keeps devices completely safe from threats by denying any access to them whatsoever. And while an enraged executive can satisfy his need to offer up a sacrifice to the shareholders in his firm by kicking out the vendor closest to the outage, there’s still the problem of cleaning up the after-effects. The vendor typically survives to roll out product another day, but the firm is left with the same problem as before – and will have to now go to another vendor whose product can be just as destructive as the first, if implemented incorrectly.
Fig. 2: Vendor making an exit from firm after system-wide outage
Worse, the firm may choose to reject all vendors of a particular solution and instead seek to eliminate all technology that requires such a solution with a Bold Move. “We’re going to get rid of all our Windows workstations and switch over to thin clients that run on burner phones, so we don’t need firewalls anymore.” Yeah. Good luck with that. This much I know: whatever product is mentioned as part of a Bold Move Strategy definitely has an amazing salesperson in that region. Chances are, that Bold Move is going to involve a purchase order that skimps on professional services, compresses timelines, and lacks proper staffing and coordination, which may result not in a system-wide outage, but an undesired result after a lofty promise.
Fig. 3: Undesired result after a lofty promise
This, in turn, can result in the executive that oversaw a failed vendor implementation and a failed Big Move taking an opportunity at another company. This makes way for a new executive to step in and try his hand at choosing between doing things on the cheap or doing things correctly. Because RoI is much easier to measure than the chance that a botched implementation results in a DoS, my money’s on the cheap.
Fig. 4: Another botched implementation of a security product…