You’ve Bought Security Software. Now What?
Many years ago when I first started my career in network security as a support engineer, I received a phone call from a customer. (Let’s call him “Frank.”) He used our vulnerability scanner as a consultant for his own customers, and he was concerned that the scanner came back with 0 results. After reviewing his set-up, I easily discovered the answer.
“Here’s the problem: you’re not using credentials to gain access to your customer’s assets.”
“No, that can’t be. I’ve used your product for over a year and never use credentials but always receive results back.”
“Well, sometimes you’ll gain enough access to pull some low-level vulns. But in this case, we weren’t able to get any access at all. Without credentials, you aren’t seeing the true vulnerability state of your targets.”
“So you’re telling me that for the last year, I’ve given wrong information to every one of my customers?”
Uh-oh, indeed, Frank. See, he bought our software, but he didn’t take the time to properly learn how it works, and in doing so, he gave bad information to his customers for a year about their vulnerability status. During my last 17 years at four different security companies, I’ve seen similar scenarios play out with some of my customers. Buying the software is the easy part. Learning how to use it, or best deploy it, is the often-missed part.
When your sales person sells you our software, they may talk to you about purchasing some additional services such as our Professional Services team (to best deploy it), Tripwire Remote Operations or ExpertOps (to help run it), or Technical Account Management (to help manage it). You may have turned them down. After all, you’ve been in security 10 years. Your team may not have used this software package, but they’re familiar with others, and why spend money on the “extras” sales is trying to push on you? Here’s why:
- All security software is not alike. In fact, none of it is. Being an expert on a certain Vulnerability Management solution does not make you an expert on IP360. Likewise, being an expert on IP360 does not make you an expert on other solutions. Each software has different requirements. Some may require credentials. Some may require agents, instead. Some (like IP360) may allow you to use either or both. Whichever of these your software package requires will be important as you decide how to deploy it. If your software requires credentials but you’ve deployed it in an area where you’re not allowed credentialed access to your assets, then you are going to have a problem.
- The manual will only take you so far. Remember when I said, “All security software is not alike”? Well, no deployment is, either. Your network map, configuration, asset disbursement, and scanning requirements are not the same as any other company in the world. Absolutely use the manual like you would a bible. Make it ‘The Word’ when it comes to your software. But realize that it is not going to cover your specific situations. Alternatively, maybe you’ve inherited the system. No-one who was around when the decisions of the deployment were made is still on the team. Now you own it, but you have no idea why it was deployed the way it was. Or maybe your needs have changed but your deployment hasn’t. That’s where a Professional Services team comes in. They’re the experts when it comes to deployment. They’ll view your network with a fine-tooth comb then explain to you how it should be deployed to provide the most efficient use of the software for your specific configuration needs.
- Sometimes, it makes sense to let someone else do the work. Do you need to hire new resources or take resources from existing areas of your IT? Will it cause a strain in your department, or on your budget? Then why not hire a managed services department such as Tripwire Remote Operations (TRO), or ExpertOps for cloud deployments? These teams will run the software for you. They’ll connect directly to your consoles and ensure all policies are running trouble-free while providing dashboards and reports to you. You save on resources, time, and training costs. TRO does all the work, and you get all the credit.
- You may be too complicated for standard support. Support Departments are incredibly helpful, but their main job is break-fix. The software is not working correctly, and they will jump in to assist. But what if the issue turns out to actually be a feature request because the software simply doesn’t work the way you’d like? Perhaps you use custom code. Maybe you’re working with older, non-supported versions of software. Or maybe you have a very large deployment and need priority access to development and direct access to an engineer who knows your specific deployment intimately. Then it’s worth your time to invest in Technical Account Management (TAM). An engineer will work with you on a daily to weekly basis and will learn your network specifics. Imagine not having to describe your set-up every time you have an issue. Escalations from TAM customers get priority development support, and feature requests get priority Product Management support. You’ll be given training courses and onsite visits. Even non-supported issues are supported to some extent by your TAM engineer.
So, remember that purchasing your security solution is only your first step to getting your money’s worth. Take an honest assessment of what your needs are and whether it would make sense to have the experts handle it. It might cost a little more on the front end, but will it be more cost-effective in the long run? Will it mean the difference between the success or failure of your deployment? In hindsight, what do you think Frank would say about that?
And what would his customers say?