Which Is Better: A Security Appliance Or Security Software?

The Advisory Council looks at best practices for determining whether to use hardware or software for security needs.

May 9, 2005

5 Min Read
Network Computing logo

Editor's note: Welcome to SmartAdvice, a weekly column by The Advisory Council (TAC), an advisory-service firm. The feature answers questions of core interest to you, ranging from leadership advice to enterprise strategies to how to deal with vendors. Submit questions directly to [email protected].

Question A: Should we use security appliances for firewalls, virtual-private-network (VPN) access, etc., or would we be better off deploying security software on general-purpose servers?

Our advice: Network security is serious business. The flood of viruses, spam, spyware, and other attacks on computer networks seems almost unstoppable. The recentCSI/FBI Computer Crime and Security Survey documents that security breaches were responsible for more than $140 million in business losses at the 494 companies surveyed in 2004. Clearly, having a good computer-security defense in place is of paramount importance for any business, yet achieving that goal can be challenging. In the past, unless you had a dedicated, highly trained, professional security staff and specialized systems, something would eventually slip past your defenses. Fortunately, the new breed of security appliances now available makes practicing good security hygiene a snap, but there are worrisome vulnerabilities in taking the appliance approach to solving corporate network-security problems.
If you've recently installed a new firewall, VPN, or wireless router, you've installed a security appliance. What makes these new products different is that they're specifically designed to be easy to install and maintain—they're usually configured and functional in less than an hour—as well as transparent, inexpensive, and upgradable. They're often sold as hardware with an annual software-update subscription. Don’t even think about cutting costs by forgoing the subscription. The crackers have more expertise and spare time than you do. Take advantage of your appliance vendor’s development team, and let them stay a step ahead. Of course, it goes without saying that you need to maintain the system with the latest patches and updates. The products marketed to midsized businesses can generally be configured to update automatically.
If they’re cheap and easy to use, what’s not to like about these systems? There are disadvantages to using security appliances as part of a corporate-security strategy. The obvious one is that the appliance itself becomes a known target for malicious activities. No matter how good the vendor’s development team is, all security systems have vulnerabilities. It's a matter of time before they become known to and exploited by the cracker community.
Another disadvantage is letting your network security rely on a single point of failure. If that system is compromised, the entire trusted network might be open to attack. We recommend continuing to maintain desktop- and server-based security software in addition to any network-appliance installation.
Security appliances make sense as part of an overall IT-infrastructure strategy as long as you remain vigilant. From a business perspective, security is just an expensive insurance policy, so a solution that takes care of the problem transparently and cost-effectively seems like a dream come true.—Beth Cohen

Related Links:

CSI/FBI Computer Crime and Security Survey

E-mail Security at the GatewayNext Generation Host and Network Intrusion Prevention Solutions

Beth Cohen, TAC thought leader, has more than 20 years of experience building strong IT-delivery organizations from user and vendor perspectives.

Question B: How can we demonstrate the value and justify the cost of our help desk to the business?

Our advice: The help desk is an easy target when cost-cutting measures are instituted. It doesn’t generate revenue, and its value to the company can be easily questioned. In today’s cost-focused business environment, those who manage and serve on the help desk need to rethink and rejustify its mission. They need to see beyond its function merely as a reactionary vehicle that answers users’ requests for help. Instead, they need to reposition the help desk as a proactive IT service that can aid in identifying and driving down IT-related costs.
First, show management how important user support is to the business. Support of the technology infrastructure is a means to a greater end: overall corporate productivity. A company needs user support.
Second, the help desk should establish ways to measure how it's supporting and aiding in attaining profit and revenue goals, starting with basic service principals:

  • Document the full range of services the help desk provides, and communicate them to the business units.

  • Establish service-level agreements for all the services you provide. Make sure the respective business units buy in to those SLAs. Then, measure overall performance against the SLAs, and report that performance to management.

  • Measure usage of help-desk resources and report your findings to business units.

  • If your organization has a charge-back approach to support, be creative with your service offerings to business units so they can manage their support costs.

  • Institute self-service support options to provide more direct-support means to users. This could include Web-based support and knowledge bases for company hardware and software.

  • Periodically survey users to measure their satisfaction. Let management know you’re serving the interests of the users.
    Third, think about how the help desk can assume a more proactive IT-services management role, as opposed to the typical reactive model. Consider turning the help desk into a knowledge center. Help desks can mine their call databases for value-creation opportunities. Examples are:

  • Analyze call patterns for software support to suggest new or replacement training courses.

  • Examine hardware calls to see which involve in-warranty versus out-of-warranty repairs.

  • Validate where hardware upgrades are needed by matching application usage to hardware needs.
    Instead of reacting to every telephone call, help-desk management needs to identify areas where the help desk can be seen as adding value to the company. Keep management apprised of your actions. Demonstrate service through well-deployed metric measurements and a proactive analysis/usage of help-desk call data to see where cost savings can be realized. This can clearly demonstrate the contribution the help desk is making to overall enterprise productivity and cost containment. Management can't argue with that.—Stephen Rood

    Related Links:
    Taking the leap from reactive Help Desk to proactive IT Services Management

    Stephen Rood, TAC expert, has more than 24 years’ experience in IT, specializing in developing and implementing strategic-technology plans. He has designed and implemented a state-of-the-art emergency 911 call center for the city of Newark, N.J., and has worked at Coopers & Lybrand, General Foods, and Survey Research. He's the author of the book Computer Hardware Maintenance: An IS/IT Manager's Guide (Butterworth-Heinemann, 1995).

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights