The claim a company is not a “true security company” because they don’t focus solely on security products is a red herring.
If I ask you to define a true security company, you might tend to fall back on the most obvious answer, “Well, it’s a company that focuses on security.”
And then I would ask, “Security of what?”
And then you might answer, “Well, of whatever it is the product secures, of course.”
Of course. What it boils down to is that the most common definition of a “security company” is one that focuses solely on providing solutions designed to secure X. X may be the network, or an application, or the database, or storage. The key isn’t really what, but the implied focus only on a security product. Period. The assumption appearing to be that singularity of purpose is able to achieve higher quality. All the folks at a “security company” are necessarily focused on security, right? Which has got to be better than, say, only some of them.
Hogwash. This is nothing less than a red herring; a rhetorical or literary tactic of diverting attention away from an item of significance. When used in technology it’s generally an attempt to move the discussion away from a particular product or solution to the company, instead. As if a company that offers other solutions can’t offer a quality security product because, well, it’s not a “security company.” It’s the same argument businesses used to use against IT spending: they weren’t in the business of IT, they said. Except that they were by virtue of their growing interdependence on one another.
The same is true in the realm of technology. Every company is – or ultimately should be – a “security company.” The interdependence between any product that touches data and systems and security cannot and should not be a line in the sand. It should, as is the case with operational risk, be a part of the overall strategy. Security is people, it’s processes, and it’s technology. Like the three strands that comprise operational risk, there are three distinct strands that make a company a “security” company: people, process, and technology. It’s not about number of people dedicated to security, or the overall focus of the organization, or even the technology they produce. It’s a unique blend of all three that come together to create a solution that’s capable of offering organizations the means by which they can address operational risk.
Lest I be accused of dissembling, let’s dig a bit deeper into the definition of a “security company”, shall we?
THE NUMBERS GAME
Can we base the definition on the number of folks dedicated to developing and supporting security solutions? Not really.
Niche vendors, those who focus on one specific aspect of security, such as a web application firewall, generally have fewer resources available to dedicate to their solutions. In some cases the niche vendor may have more employees, but not all are necessarily dedicated to security – many are focused on packaging and deployment and management and APIs and, well, all the other features and functionality that is required of an enterprise-class infrastructure component today. Playing the numbers game can actually backfire on a niche-vendor, as larger organizations have the resources to allow their security-focused employees to focus on security.
Organizations – big and small - can also fudge the numbers. Security is supposed to be the concern of every developer and architect, after all, so aren’t they dedicated to security? Surely they can be counted in the employee count game.
Obviously number of employees dedicated to security is not a good basis for such a definition, so perhaps we can base the definition on the number of security-related products the organization offers? Or the number of customers specifically for those products? Or the number of awards? Or the number of … you get the point, I’m sure. The numbers game is not a good one because numbers can be fudged and even when they aren’t, numbers say nothing about the quality of the people, processes, or technology in use. And it’s never been about numbers in technology anyway, because throwing more people at a problem has never been recognized as a workable solution.
THE FOCUS GAME
Another means of deciding whether a company is a “security company” or not is to focus on focus. This is basically a rehash of the old “jack of all trades, master of none” argument that claims if you provide more than just security solutions, you obviously aren’t a security company.