(version française)

In the graph below we put in correlation investments in security and the level of protection you get for that money.

Let’s define the green line as the representation of the today security market situation based on what the different vendors offer (it’s true that – for instance – when you want to achieve a very high level of security, a small increment of this level could cost a fair amount of extra money).

Now, from a conceptual point of view, we can also use this graph to highlight our attitude to the risk. To keep it simple, we can distinguish three different main security philosophies:

1. The red zone – Organizations belonging to this category spend a little amount of money in security components. They do not expect in return to get a high level of protection. They tend to react to security issues once they have happened. They typically start with the most basic level of protection and operate in “denial” mode until a breach hits which is when they react to it. In fact they don’t consider security to be worthy of even medium levels of proactive investment, and/or they may think they are not really exposed to threats due to the nature of their business.
   Unfortunately, the experience shows that data breaches can affect any organization, of any size and in any sector. A single attack, happening only once, can cause major damages, not only financially, but also in term of reputation and image. So this attitude is very risky in our today environment, where pro-activity is essential.
   
   
2. The orange zone – The second and intermediate category regroups those enterprises being pretty well aware of the various running risks. They usually take seriously all the security aspects. The majority has put in place over time different security layers and components and thus managed to improve their threat control and risk mitigation. But they still approach security from a proactive but tactical one off approach standpoint, i.e. they believe security to be important but don’t consider it holistically.  They tend to have a large number of vendors and non-integrated security solutions.
   I don’t think this tactical posture is the right one to adopt either, as the fact they have implemented different security systems, from different vendors, leaves some holes in their line of defense that a malicious hacker could quite easily exploit.
   
   
3. The green zone – Finally, the third category consists of organizations having a high security awareness and that are looking at putting in place the best possible protection in order to mitigate the risk as much as they can.  They approach security from a proactive and holistic security information strategy standpoint and they tend to have one to few vendors. Furthermore they operate an integrated approach – from the devices to the datacenter – for security needs.

So, quick question for you : in what category would you classify your own organization ?

Now, let’s go back to the curves. As mentioned, a high level of security has a price. From a vendor perspective, continuing to offer the best security products, implementing new features able to stop the ever evolving attacks and threats, having a threat center focusing on security research and ensuring then that your installed equipments are always up to date with the latest threats information, all this requires continuous innovation and sustained investments in research and development. Only those vendors that consent to these investments can offer in the end the best possible level of security.

Unfortunately, some security vendors try to convince us they can offer more for less. This results in a shift of the green line to the left (dotted blue line). This could sound attractive to some organizations, but the reality is they end up with a solution not delivering the expected/promised level of security, resulting in the red line on the graph. The bigger the produced gap between the green and the red lines is, the more latitude you leave to hackers and malicious people to generate attacks. And the worst thing about that is you finally become aware of the existence of this gap the day when a serious attack occurs and creates irreversible damages…

The conclusion is “good-enough” security is simply inadequate for high-performance enterprises. This is NOT an option in our ever evolving threat landscape. Also, only end-to-end, cooperative and federated security can efficiently mitigate the risk; implementing point products belongs to the past and is the best way to eventually finish with an infected network.

The Juniper security portfolio is unparalleled in the industry. This allows us to serve our enterprise customers and deliver a security solution and architecture that spans the datacenter (including now web applications), campus, branch and mobile workforce (true end to end solution). We have a leading research team that not only writes our signatures but also has deep insight into the ongoing threats that we see in the industry. This insight is translated into signatures and technology to develop more advanced capabilities to address today's emerging threats.

I hope this blog has helped you a bit to answer the initial question.

My final and humble advice to you would be:

• Adopt the right attitude to the risk – and I think only one makes sense
  
  
• Think twice before choosing a security vendor – critical aspects like credibility, vision, innovation, portfolio richness (end to end) and history must be considered
  
  
• Remember that only collaborative security can offer the highest possible security level and risk mitigation
  
  
• And finally, ask yourself about which curve you would like to be on, the bottom line being that every organization should aspire to get to the green zone and on the green line.