Monday, August 28, 2006

What I learned as a customer

Last week I hosted a WhiteHat Security webinar for a couple hundred people that ended in a spectacular failure. (To be polite I'll leave out the name of the third-party service provider, but lets just say they're a really big company and it was all they’re fault.) The experience was very disappointing as this was an exciting event as an encore to the Black Hat presentation. A couple of days later something hit me. I became a customer again rather than a vendor! I was put directly in my customer’s shoes. Reminded about why I started WhiteHat Security and what information security professionals provide to those who depend on us. A level of confidence that someone is making sure nothing will go wrong. Let me provide some background.

I'm not comfortable with webinars. I'm used to performing demonstrations LIVE when if something blows up, a common occurrence, that I have a backup plan. Normally the audience never notices. Choosing a hosted solution was the first decision because it doesn’t make sense to build our own infrastructure. We did our homework. We selected a vendor that knows what they were doing, even if they’re comparatively more costly than the alternatives. For us, that part didn't matter much. The solution felt smooth and stable and we were willing to pay for that. This is better than inviting our guests to a shoddy event. Every buying decision we made was on the basis of confidence.

The morning of the webinar the hosted backend system died crashing many other in-progress webinars, booting the attendees, and myself unable login with sporadic connections. After realizing the problem was not on our end, we we're forced to apologize to our attendees and end the webinar early. These things happen sometimes and there’s not a lot you can do about it (damn that Murphy). Do we regret our selection decision? No. What you want to be able to say is you did everything you could to prevent a bad situation. That’s what we did.

An information security professionals job is helping organizations make sure nothing happens. Or at least put off that eventuality for as long as possible. For security assessment providers like myself, we serve that goal by identifying vulnerabilities so they can get fixed before the bad guys exploit them. And I said before, "The reality is someone only needs a single vulnerability to exploit you and cause you to have a really bad day." Organizations depend on us to find all the vulnerabilities all the time. Sure they could do it themselves, which is fine, but that’s not the point. The point is reaching “a level of confidence that someone is making sure nothing will go wrong.” That's what I was reminded of. We do a lot more than just find vulnerabilities.

No comments: