When small and medium-sized business (SMB) folks ask me how to build an information security program, I often tell them to use a value-added reseller (VAR).
So you know you need to implement a security plan, but where do you start? What do you buy? The reality is, the proper level of security is different for every organization.
Large enterprises bring many resources to the table, such as task forces, project teams and built-out labs to test everything they buy. SMBs don't have task forces or labs; they've got nothing but a lack of time to get everything done. Wouldn't it be great to push the responsibility off to someone else? Can't your information security VAR make the problem go away? To be clear, the channel has a role in the procurement and implementation of information security. But you cannot outsource your security strategy.
The VAR is not going to take responsibility for ensuring you are not compromised (nor should it.). As the technology decision maker, you must come up with a security architecture and process to protect critical assets. Sorry, but that's your job.
To truly leverage the channel in the most effective way, you need to understand its motivation, which is to make money.
Blind trust costs money. Buying security products is kind of like buying a car. The customers who walk into a dealership, fall in love with a car and drive it home that day get taken for a ride. Those who know what they want to buy, why they are buying it and roughly what they should pay get better deals. You can apply the same mentality to buying security products.
Start by doing your homework. Understand what problem you are trying to solve and some technical alternatives to address the issue. Talk to other IT professionals, check resources online, surf the Web, and/or read reports from pundits like me. Get a feel for what you your security plan should be. Then (and only then) are you in a position to talk to a VAR. An educated buyer is the best buyer.
Be flexible. The VAR may have some logical ideas that you haven't thought of. It's OK to treat the VAR as an advisor. Just don't treat the VAR as the ultimate arbiter or the only advisor that you talk to. VARs add a lot of value in examining the myriad of technical alternatives and choosing the right one, but ultimately the decision is yours. If stuff hits the fan, you can be sure it'll be your head on the block.
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta. Read his blog at http://feeds.feedburner.com/securityinciterants, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.