• United States




So, you bought good security tools. Now what?

Jul 12, 20165 mins

The pace of growth in the availability of information security tools in the last five years has been nothing short of astounding. The industry has seen many startups in this market space, along with a healthy pace of product acquisitions by established companies, thanks in large part to the growth in cybercrime.

While it took some time, it seems that the data breach explosion has caught the attention of many business leaders. When the target was Sony or Home Depot, companies further down the food chain did not seem to worry much. As smaller companies began being victims, and with the rise in ransomware hitting individuals, many more in the medium enterprise and small and medium business world began to pay attention.

The combination of product availability and rising concern about becoming cybercrime victims brought about a natural reaction — companies in large numbers began to purchase the tools offered by the growing number of information security companies. This may sound like a positive development, but there are definite challenges.

In my practice, I have seen a definite upswing in the number of companies purchasing expensive security tools, which will ultimately sit on the shelf and do little to improve their security posture. They have become victims themselves, having purchased tools they can’t or won’t use, and thinking somehow the the purchase and initial installation makes them safer.

I in no way mean to impugn the growing list of good security tools available. More such tools become available every month, and notwithstanding a few that are more hype than reality, they are generally good and useful. I would also never suggest that companies not consider tools that can help their security posture. The issue that concerns me is the purchases that happen without an understand of the care and feeding involved with such tools, and how they will fit into the operation of an organization. 

If you are a leader in one of the many such businesses or organizations considering security purchases, I would suggest that you think through the following steps first. If you have already written the checks, I suggest that you back up and run through this list.


Most companies are smart enough not to launch a new product or service themselves without establishing the proper strategy first, and yet the same entities will make expensive tool purchases at the drop of a hat. Before you spend anything, understand the problem you are trying to solve.

Threat intelligence is one of my favorite examples. The concept of using shared security information to protect a business is attractive. The concept is useless, however, without the proper infrastructure and the ability to use the information. 

Start by figuring out what issues you need to address. What particular security threats are common in your industry? What attacks have you or others in your industry seen recently? What critical assets do you need to protect? Once you understand these items, you can begin to build a strategy.

A good place to start is with a formal risk assessment. This may sound difficult and time consuming, but it can be done quickly and efficiently, as I describe in “The dreaded risk assessment.”


If I could build a product that would show you via a single console screen the threats your business is currently facing, and what you need to do immediately to protect yourself, I would retire comfortably to my own private island, probably next door to the one owned by Bill Gates. Sadly, no such technology exists, and is not likely to in the foreseeable future.

Automation can help, but people must be the center of your strategy. What staffing would you realistically need to implement your strategy? Are you better served by outsourcing some or most of your security efforts? Beyond the very basic tools, like a good endpoint security suite, you should not be making major purchasing decisions without considering the staffing implications. 

Data collection 

The key element to any security product involving security analytics or threat intelligence is the connection of data from your systems and networks into a single repository. Without this, any investment in such tools would be wasted.

One of the values of an approach like threat intelligence, as an example, is the ability to compare the incoming data with the content of your logs, looking for overlap. One of my customers recently got a threat intelligence report involving a list of rouge IP addresses. When they compared the list with their log repository, they found that one of the addresses in the list had been repeatedly trying to breach their network.

Intelligence and analytics work, but a good central log repository must be at the core. You can find good background information on accomplishing this in the article “Are you buried under your security data?


Once you have your strategy and staffing in place, and you are able to address logging, you can begin the process of product selection. Ask vendors to show you real-world examples of companies successfully using their products. Talk to references, and understand what the real care and feeding of the products involves. Try them in your own operation for a time, to assess their true potential impact. 

Implementation and operation

Many of the security tools on the market are complex, and require integration with your log management and other tools. As such, strongly consider using professional services offered by your vendor to handle the initial implementation. Once installed and operational, make sure you have policies and procedures in place to ensure that alerts coming out of such products are acted upon. In my article “The devil is in the details: The importance of tight processes to strong information security,” I provide a road map for accomplishing this.

Bottom line: Security tools are a great way to help secure your organization, but you must take the appropriate steps before you write the check. An unused or underused tool does little more than drain your bank account.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author