If everyone is thinking the same, someone isn't thinking

Lori MacVittie

Subscribe to Lori MacVittie: eMailAlertsEmail Alerts
Get Lori MacVittie via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: Cloud Computing, Virtualization Magazine, Infrastructure On Demand, PC Security Journal, Infrastructure 2.0 Journal, Security Journal, F5 Networks, Java in the Cloud, The Role of Business, Security

Cloud Security: Blog Feed Post

The 'True Security Company' Red Herring

The claim a company is not a “true security company” because they don’t focus solely on security products is a red herring.

The claim a company is not a “true security company” because they don’t focus solely on security products is a red herring.

If I ask you to define a true security company, you might tend to fall back on the most obvious answer, “Well, it’s a company that focuses on security.”

And then I would ask, “Security of what?”


And then you might answer, “Well, of whatever it is the product secures, of course.”

Of course. What it boils down to is that the most common definition of a “security company” is one that focuses solely on providing solutions designed to secure X. X may be the network, or an application, or the database, or storage. The key isn’t really what, but the implied focus only on a security product. Period. The assumption appearing to be that singularity of purpose is able to achieve higher quality. All the folks at a “security company” are necessarily focused on security, right? Which has got to be better than, say, only some of them.

Hogwash. This is nothing less than a red herring; a rhetorical or literary tactic of diverting attention away from an item of significance. When used in technology it’s generally an attempt to move the discussion away from a particular product or solution to the company, instead. As if a company that offers other solutions can’t offer a quality security product because, well, it’s not a “security company.” It’s the same argument businesses used to use against IT spending: they weren’t in the business of IT, they said. Except that they were by virtue of their growing interdependence on one another.

The same is true in the realm of technology. Every company is – or ultimately should be – a “security company.” The interdependence between any product that touches data and systems and security cannot and should not be a line in the sand. It should, as is the case with operational risk, be a part of the overall strategy. Security is people, it’s processes, and it’s technology. Like the three strands that comprise operational risk, there are three distinct strands that make a company a “security” company: people, process, and technology. It’s not about number of people dedicated to security, or the overall focus of the organization, or even the technology they produce. It’s a unique blend of all three that come together to create a solution that’s capable of offering organizations the means by which they can address operational risk.

Lest I be accused of dissembling, let’s dig a bit deeper into the definition of a “security company”, shall we?


Can we base the definition on the number of folks dedicated to developing and supporting security solutions? Not really.

Niche vendors, those who focus on one specific aspect of security, such as a web application firewall, generally have fewer resources available to dedicate to their solutions. In some cases the niche vendor may have more employees, but not all are necessarily dedicated to security – many are focused on packaging and deployment and management and APIs and, well, all the other features and functionality that is required of an enterprise-class infrastructure component today. Playing the numbers game can actually backfire on a niche-vendor, as larger organizations have the resources to allow their security-focused employees to focus on security.

Organizations – big and small - can also fudge the numbers. Security is supposed to be the concern of every developer and architect, after all, so aren’t they dedicated to security? Surely they can be counted in the employee count game.

Obviously number of employees dedicated to security is not a good basis for such a definition, so perhaps we can base the definition on the number of security-related products the organization offers? Or the number of customers specifically for those products? Or the number of awards? Or the number of … you get the point, I’m sure. The numbers game is not a good one because numbers can be fudged and even when they aren’t, numbers say nothing about the quality of the people, processes, or technology in use. And it’s never been about numbers in technology anyway, because throwing more people at a problem has never been recognized as a workable solution.


Another means of deciding whether a company is a “security company” or not is to focus on focus. This is basically a rehash of the old “jack of all trades, master of none” argument that claims if you provide more than just security solutions, you obviously aren’t a security company.

Especially if you didn’t start with security and branch out from there. This is red herring, designed to draw attention away from features and functionality and onto the people developing them. Implicit in the claim is the assumption that all developers, architects, and engineers are dedicated to all solutions, and none are focused on security. It’s an insult to the folks who work on security in any organization that offers solutions across a broad range of enterprise concerns because it implies that they aren’t as dedicated or focused on security as their counterparts employed by security-only solution organizations. Which is generally simply not true.

It’s a shell game, an attempt to refocus the attention on everything but security.


Security is not a product, it never has been. You can’t buy security in a box, you can only buy and deploy solutions that address security and other operational risks that enable the implementation and enforcement of security policies designed to mitigate risk.

Security is processes, it’s policies, and it’s only partially “out of the box”. The rest is completely about enabling the codification and subsequent enforcement of policies. Security is a strategy, a means to protecting what’s valuable to the business: data. Security is about determining every point along a data path where the security of that data might be compromised, and addressing it – either through policy, process or product. Sometimes all three. Security isn’t found in any single product, it can only be found in an architecture designed with the need to secure data and systems from the very beginning.

Security should be an integral part of every project – from server virtualization to the network to the applications. From secure remote access to integration. From layer two through layer 7. Security isn’t a “thing”, it’s not tangible. It’s the ability to align a data center architecture with business and operational goals. Security isn’t a product and it certainly shouldn’t be an afterthought. It’s part and parcel of what IT does and permeates every tier in the datacenter and it should be part and parcel for vendors, regardless of what product it is they develop.

Being a “security company” is a misnomer. Most organizations making that claim are narrowly focused on one particular aspect of security such as application or network or storage. A “security company” takes security into consideration at every layer of the stack at which they touch the data, the network, and the applications regardless of what product they ultimately produce. If you focus on application security, that does not obviate your responsibility to the other layers of the stack upon which your solution is deployed. Sure, you can stop the application-focused attack, but what about the network focused attack coming in ahead of it or behind it? If the network attack takes your application security solution out of commission, then who’s left holding the bag?

F5 can’t sell you security. Neither can any other vendor because it’s not something that can be bought and sold. F5 provides products, solutions, and even architectural advice that enable organizations to secure data center resources; that allow the codification and enforcement of policies regarding access and delivery of data center resources; that provide the means by which risk can be mitigated. But it can’t sell you “security” – and neither can anyone else.

There is no such thing as a “security company”. There are companies that sell security products and services and even security guards and security systems. But you can’t buy or sell security any more than you can buy or sell unicorns*.

* Yes, I’m aware that you can buy CANNED Unicorn Meat from ThinkGeek. But you can’t buy a whole Unicorn, can you?

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.