By Will Sturgeon, 22 September 2004 18:20
NEWS The head of information security within one car manufacturing giant has spoken candidly to an audience of press, analysts and IT bosses of his concerns over the claims made by some security vendors and resellers.
Richard Cross, information management officer at Toyota, warned against the misleading double-speak and the promises of universal cure-alls which end up confusing and misleading IT managers who may allow themselves to believe such products exist.
"There is a temptation to go searching for a panacea, but if you find yourself speaking to a vendor and it sounds as though you are being offered a panacea then it's time to change the conversation," Cross told attendees at the Gartner IT Security Summit in London this week.
"Sorry if you are in the market for a panacea or you are a panacea salesman... but there is a lot of bullshitting going on," he added.
Ian Schenkel, MD of end point security solutions firm Sygate, agreed with Cross on the issue of a non-existent panacea, but added that if there are any IT directors who have fallen for this "bullshitting" approach then it is in part because they have not done their homework.
"Some IT directors are looking for the Holy Grail," he said, adding that some have a tendency to only hear what they want to hear. "But they are basically kidding themselves. What IT directors want to hear is that I'm the medicine man here to cure all their ills, but that simply isn't the case. Companies should always be looking at a layered solution, involving multiple vendors. To expect a single solution is unrealistic."
"A responsible vendor should be able to back up any claim they make, but IT directors should also be extensively testing the claims of the manufacturer for themselves," he continued.
"Don't believe what you read on the box - bold claims may get a vendor through the door but no way should they mean a vendor makes more sales."
While Cross's comments are clearly not to be applied to all vendors, or even more than a small minority, many responsible vendors within the industry are aware that a few 'cowboys' can tarnish the reputation of the whole sector, but it's far less of a problem than it used to be, said one vendor.
Simon Perry, VP security strategy at CA, said: "Five years ago it was certainly true that most antivirus vendors were talking things up, but a growing sense of maturity and responsibility in the industry has definitely seen this decline."
Schenkel agreed the 1990s weren't great days for honesty within the industry or the image of the IT vendor, but also added that much of the negative press addresses little more than the kind of marketing which is rife in any competitive industry.
"There is always going to be an element of jostling, with companies claiming theirs is the best product on the market, but that is just the software industry. The bottom line is that companies still have to have to back up their claims," he said.
Perry warned that companies who do over-sell themselves without support for their claims are in danger of not being taken seriously and jeopardising their business. Typically it is smaller companies attempting to punch above their weight and gain recognition in a crowded marketplace who may make bolder claims, he said.
The still-fledgling area of spam prevention is one where bold claims are rife and companies still seem to talk of impossibly high levels of performance.
David Guyatt, CEO at Clearswift, told silicon.com he would back any industry initiative and codes of practice which would effectively expose any company making exaggerated claims.
Cross's comments come in a week when the media was also blamed for confusing the IT security market and 'sexing up' the nature of threats to sell copy.
Comments
There are 6 comments. Join the discussion
1. anonymous
We should all thank Richard Cross for dragging this into the light.
Why should it be considered unrealistic to want a complete solution from a single vendor - because then they would have no-one else to blame or because they are just not good at much apart from BS?
2. Julian Bogajski
I agree there is has been a large amount of vendor BS in this industry over the years, though I also think the market has wised-up.
My favourite and oft-given quote from our clients, talking about our product "Antigen for Exchange", is that "it does what it says on the box". That to me is the best BS-free endorsement of a product and gives a pretty good indication of customer satisfaction. No frills. No marketing guff.
3. anonymous
That's odd Julian, our copy of Antigen never said "doesn't bloody work" on the box?!?!?!
;o)
4. John Taylor
The issue is not always Vendors "bullshitting" but the lack of understanding of Security and issues. The best people I know are not CISSP, or CCIE or anything else! They understand -- that is important!There is no "holy grail", there is no "cheap fix" but there are answers IF you ask the right questions!
I am reminded of the words of one of the Worlds most respected specialists on IT Security at a conference I attended recently "Don't for one moment think because someone has "security" in their title that they actually know much about it"! He went on to explain that they may know about servers, or desktops, or anti-virus etc. but are not encouraged to take a broad business view and often don't actually know what future IT plans are!
What a lot of organisations have forgotten is the basics ----what effect has this on the business? If a server going down for 3 days has little effect on the business then spending a lot protecting it may not be justified, a single laptop that has not had sufficient investment in "true security" could cause irreparable damage!
In my view the biggest issue is that to secure an organisation properly from a business perspective is not an inexpensive exercise. Security is still a long way below the salt and the best Security Managers are forced to buy point solutions due to budgetary constraints and try to manage them -- which is fraught with difficulty!
There is no Holy Grail, but there is a silver non-poisoned chalice! To drink from it you have to reserve the money, and consider the desired result for the business before charging off looking at products. It is not individual products that make the best solution, it is the creation of a business related manageable model -- and that is the key --- manageable. (Anybody ever see the CA advert with all the fire alarms on the wall? "More security does not make you more secure ----better management does!" -- oh how true!)
Manage identities, manage access and manage vulnerability is a good yardstick --- don't look at products because they are "clever" but see how they fit in with the business strategy.
Business, business, business, that's where to start --- and don't think that the author's will be the best to deal with, the true Value Added Reseller is not limited to that author's products and may know a lot more about their practical implementation in a business environment!
Vendors are not perfect -- neither are customers! Don't ask your suppliers to meet a "requirements list", explain what you are trying to achieve and ask them how they wpould go about it. Let them ask you questions, listen to what they say, there may be more than one way of skinning a cat!
From a sales point of view the good sales specialist won't sell the customer what he/she wants ---- they will sell them what they know they need from open discussion and understanding! Of course the customer needs to engage with the right organisations and not buy on price, nor just buy the most expensive in the incorrect view it must be the best!
5. Rob Lewis
IT security and all its FOIBLES.
Security product vendors have based sales pitches on FOB(fear of breach, distant cousin to FUD) because their products give only an intangible ROI based on breach avoidance. I think it is now compounded by the need to comply with privacy legislation, so it can still be summed up as:
Fear Of Imagined Breaches Leads(to) Expensive Spending.
6. Bob Hail
One man's bullshit is another man's manure...
I would say that the vendors approach is one of extreme paranoia mixed in with a single purpose i.e. to sell secure xyz, wheras the IT director has real life to deal with and the paranoia is a very small part of the day to day tasks. Planning and budgeting would probably rank higher than security.