At Ease

Security vendors love to brag about their military credentials. They will launch a sortie of acronyms and jargon to impress and intimidate you. “Our founder is a former Army colonel who, as part of the XO Ops-Center, had Level 5 G-Sector clearance for military crypto intelligence tools rated code blue by the NSA.” Well, then, you had better buy that firewall.

Should you really, though? Should stars and bars go in your “pros” column when building a security infrastructure?

The answer is yes and no. Or, more accurately, no and yes. Military credentials are about 80 percent marketing gimmick. Still, there’s that 20 percent. Don’t dismiss rank and clearance codes entirely. They could be a sign of certain skill sets that will improve your information security. How former military officers came to exert a broad influence on information security is a right place/right time story. Luck is the residue of hard work; specialists toiling over cryptography, information warfare, emergency response and computer intelligence gained their knowledge just as the private market would demand it in spades. The Internet boomed and it was inherently insecure. Thousands traded fatigues for wing tips and went after the money.

Security consultants emerged like special forces from the shadows. Suddenly, they were everywhere, and they were attacking the market. (Aside: Characteristically, veterans professed profound skepticism about the other military branches’ability to do information security. “They’re Army,” one ex-Navy man told me on a vendor visit. “Army doesn’t know anything about crypto.”)

This was good. It brought untold expertise into a discipline, computer security, that suffered from a woeful lack of talent. But the military doesn’t teach a computer specialist how to run a businessand choosing a vendor that will be around in six months is more important than 128-bit encryption.

What good the military did bring to computer security, the 20 percent, rests mainly in the services area. Specifically, process and planning. Regimen translates well for incident response scenarios, security auditing and crisis operations.

Military experience means far less for product vendors. Though the military develops and maintains some of the best, most complex security technology in existence, most of it is impracticable in “the real world,” the real world being a dynamic, market-driven economy.

That’s where a military background might work against a vendor. In national security the threat is well understood, and, often, failure is not an option. It’s a zero-sum game. In industry, it’s a risk management game. Several CIOs have told me that companies run by ex-military tend not to understand just how low corporations set their thresholds for complexity and cost. Buying into a vendor because of its military experience might be buying yourself into excessive (and expensive) security.

The best vendors will be well-rounded. Non-military security experts will offset G.I. Joe. A background in defense won’t drive the company’s business plan and marketing. If a vendor harps on its military credentials, treat it as a red flag it’s counting on you to buy in blindly because of those credentials, when, as a rule, you should make security spending decisions in spite of them.