The title for this post is only funny if you read it in the voice of Jules Winnfield asking Brett to describe what Marsellus Wallace looks like. If you can get in that mindset (I can’t link to it, you just have to get there on your own), then this will be more effective.

Jules Winnfield asking the question.

Imagine for a second that you are the CIO of a company (Jules Winnfield), and you are trying to build some information security features into the systems you are responsible for keeping up and running. You go to your CISO (Brett), or maybe the sales rep of the infosec vendor, and ask them how their product works in the new model of IT provisioning and operations. Brett says “What?” a bunch of times until you get really tired of hearing it, and then eventually says it looks like a machine and cabling. You ask, “Does it look like a physical deployment from 2005?” He says, “What?” And then you pop him one in the arm.

Now are you in the mindset?

I’ve been having many conversations with IT professionals that own some operational function of information security, and many have been asking me these kinds of questions. IT provisioning in 2011 looks pretty different from 2005, but it seems like we still think about information security in those 2005 terms.

We tend to think about security tools as appliances and hate to think about agents. Rightfully so, we’ve been convinced support is easier with the former, and way harder with the latter. But we’ve past the tipping point where either really works well in today’s IT environment.

Enterprise users need security services that work with 2012 provisioning strategies. Those include flexible computing concepts like cloud, and virtual data centers that function irrespective of the underlying hardware powering them. If IT is operating like a service, why isn’t security? IT leaders don’t want physical hardware to rack and stack in a data center. They want vendors to supply deployment options that work with flexible data centers. It’s stupid to spend thousands or millions of dollars on flexible computing only to have some security tool require data be piped outside of that vSphere for processing, and then probable reinsertion into the same vSphere for a result or analysis.


So the next time you are faced with implementing some kind of security tool, feature, or process, ask yourself if you are doing it in a way that fits TOMORROW’S IT deployment.

This post originally appeared on

  1. It’s SO jarring to mix these two references. []