5. Security tools are too complex
IDS/IPS products are the most frequently cited offenders here, with their log files that start spewing more volume than an "I Love Lucy" candy factory.
"It's not that the product doesn't work, but they take up so many resources to keep running," says Eric Ogren, security analyst with the Enterprise Strategy Group. "It all looks good in the demo, but the operational overhead [to keep it running] is prohibitive. This kind of complexity is a huge issue."
You could just as easily toss access control systems on that same pile, he adds, with all the rights and permissions that accumulate over time and are extremely challenging to keep current as users move around or change jobs. "I'd need to hire an army to handle the helpdesk calls and to keep permissions up to date, adding and removing ones not needed anymore," Ogren laughs. But real control is only as good as the most recent updates.
Ditto for these newly emerging content inspection suites that keep users from sending out problematic emails but require regular updating. "You keep adding words and search phrases, and then the list gets too long to maintain, and the false positives proliferate," Ogren notes.
Rather than keeping companies safe, such products threaten to bury those tasked with administering them. So what about turning to a security's customer support for help?
Russ Cooper, director of publishing for the risk intel team for security vendor Cybertrust, says that's fine, at least if you expect to get someone on the phone within an hour. That's not the way most customer support works in any industry these days, though some IT vendors might "- for a hefty premium.
"With security, you're almost always talking about something that's happening right now," Cooper says. "I can't imagine that waiting an hour works for anyone. I don't want to know tomorrow what this prompt is telling me and why I can't do what I want to do."
Too often, users may get prompts that only make the problem worse "- and may well exacerbate any problem going on. "Online help has to be the stupidest invention known to man. Never assume I have network connectivity when you're going to go and try and get me help," Cooper fumes, noting how often this issue comes up with Microsoft Office products and Visual Studio. "If [solving the problem] means bringing up a link and opening a Web page, I may have just done something I'm not supposed to do."
Better that the documentation spell it out clearly, or that users be able to search their own desktops for the exact verbiage contained in the prompts. Again, this is a rarity in most products.
Ogren agrees that fewer prompts would help. "The granularity and visibility of help information should shift depending on the user -- an admin versus an end-user -- and the prompting should reflect that," he says. "The majority of security products that are out there don't do that. They use a one-size-fits-all mentality."
