An open letter to “the Dark Side”

On November 22, 2004, in Rants, Security, by

To the marketing department of Companies in Technology:

Two things came across my desk this week to inspire this post.  The first was a study to help “develop a share CIO/TMT understanding” and the other was this blog post.

First off, there’s a fundamental flaw in how you market computers to decision makers.  You make it seem so easy to install networks and computers and technology in your message to decision makers and quite honestly, it’s not, nor should it be. 

The study that I refer to above says “the CIO must consistently work to provide the TMT with realistic expectations of the capabilities of IS. If the CIO allows the TMT to understand how IS can realistically be used within their firm to meet specific objectives, the CIO and TMT will be better able to reach a mutual understanding regarding the role IS will play within their organization.” 

Let’s translate for the SBS world, shall we?

The consultant must constantly fight against marketing materials that indicate that installing and migrating to a new system is so easy that all it takes is putting a cdrom in a drive and following clicks.  The consultant must try, as best as possible, to manage the expectations of the customer that have been improperly set by brochures and information that state that the network installation is so easy, will only take minutes, computers are a piece of cake, and 2 year olds can handle this. 

Gordonian was blindsided by the expectations that you gave his customer that upgrading was easy. Even on those “15 minute” preloaded machines, you do realize that it took me way longer than 15 minutes to find all the tweaks in Trend I needed to do, to add patches, to adjust some group policies.   Now granted, I was slowed down a bit by capturing what I did and blogging about it, but still, the process I’ve done took longer than you, the marketing department, has set as expectations. 

Yes, I’m sorry to call you guys the “dark side”.  I know you don’t mean to.  It’s hard to run a business that needs to “cheerlead” out new products at the same time you properly set expectations. 

But understand, that to set up a network, securely, safely takes time.  Computers aren’t easy. There’s a reason that the geek squad division of Best Buy is making a name for itself or that geeks are going home at Thanksgiving fixing computers..  [thanks to Anne for that blog link]

Have you seen the other message that marketing puts out?  It’s an ad by Cisco advertising their Network protection feature.  You’ve seen it, Dad is at the office and there’s a massive worm attack underway and they can’t figure out how it got in and then “Sally” skips by and tells Dad “Oh, I just downloaded a game on your computer, Daddy!”. 

Well folks, first and foremost, there’s a flaw in that commercial.   First, “Daddy” should never allow kids on corporate assets and this should be a written policy that technology isn’t needed for.  Secondly, “Daddy” shouldn’t have the rights to download everything and anything on his computer.  He should be protected from himself.  Jeff Middleton wrote a section of Harry Brelsford’s next book on the concept of “least privilege”, but honestly that’s not an easy thing to do.  Security takes time.   

We” need to change our view.  We need to change the idea that all of the packets on the inside of our networks are good packets.  That we can trust explicitly all traffic that is on the inside of our networks.  That we don’t need outbound filtering because only “good stuff” can be traveling outside, right?  That workstations are protected enough as long as there’s a firewall on the outside.  Steve Riley talked about this at Tech Ed this year and it was captured on some of the blogs and articles around that time [and for the record XP sp2 is out Windows 2003 sp1 is still in beta]. 

But let’s start first by changing… managing…the expectations of the decision makers.  Putting in network infrastruture isn’t easy.  It’s hard work.  And quite honestly even if it WAS possible to install a network in 15 minutes…. it wouldn’t be secure.  You can’t get fast and secure at the same time. Decisions are involved here and the word alone implies thought, consideration, review… certainly longer than 15 minutes anyway.

So to all those folks that market.. make sure your message is clear and truthful.  Security is a process, it takes time.  Help the consultant manage those expectations by managing the message from the get-go. 

To all those customers out there ….hire competent folks that make the right decisions.  Understand that they are making decisions in your best interests and don’t rush them.

To you consultants ….communicate to your customer of your process and why this isn’t a 15 minute thing.

Let’s all manage those expectations, shall we?


Comments are closed.