The Tools Don’t Make the Carpenter

This is a common phrase that comes up to describe that two individuals with the same set of tools can produce a vastly different product. Mostly, this comes down to the experience of the individual. One has to know how to use the tools, know the tricks of the trade, know how to get themselves out of a bind, etc. and most of this knowledge comes from experience.

Have you ever tried to install crown molding in your house? Let me tell you… it’s not as easy as it looks. I purchased a fixer-upper in foreclosure after the 2008 housing market collapse, and have completely renovated it. One of the most difficult things I did was crown molding. It wasn’t because I didn’t have the right tools, I just lacked the experience to cut the right angles, to finesse the corners, and to make it fit just right. An experienced contractor came in and buttoned it up with no problems at all. It was a truly humbling experience.

Take for example these two desks:

                                                                                                           Functional. You can put things on it.
                                                                                                                      Functional. And beautiful.


Only a carpenter with experience could build both desks. No matter how many elaborate tools the inexperienced carpenter owned, they would not be able to produce the second example.

The Tools Don’t Make the Security Program

Much akin to the carpentry examples, the amount of elaborate tools an organization owns does not equate to the maturity level of the program. You have a next-gen firewall? Great! Now what? Have you configured all of your zones correctly? Are you applying all of the next-gen features to your rule sets? Are you actually using all of that threat intelligence? I ask these questions because I’ve audited many a customer’s next-gen firewall only to find that not only are they not using the advanced features, they don’t even have the layer 3 policies configured correctly. On top of all that, what are you doing with the data you get from the firewall?

How about your endpoint antivirus? You’ve got it, and that’s great, but how do you know you have complete coverage? What happens when users go off network? Can they still get definition updates, or do they have to be on premises?

There are so many questions that need to be asked when the organization is attempting to mitigate risk with a security control. Many times I find that customers are flushing money down the drain because they are relying on what their vendors are telling them and don’t have enough experience to ask the right questions.

Experience Matters

Whether making configuration changes or implementing new tools, having the experience and breadth of knowledge to anticipate the effects of those changes matters. Many times it’s difficult to find this experience in the local job market, which is why we offer our expertise. We have extensive experience in building security programs, incident response, enterprise architecture, compliance, and risk mitigation. Our technical bench also includes experts in enterprise networking, storage and backup strategies, virtualization and hybrid-cloud solutions.

Before you make a significant investment in your security program, talk to us and let us help you make an informed decision. If you already have a security program and aren’t sure of the efficacy of it, we can help there too. Metrics are our greatest asset in answering “are we doing the right things?” and we thrive on them. Contact us today and let’s get started in building a robust, defense-focused security program for your organization.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.