One of my pet peeves with security vendors like Symantec, Vontu, Websense and Checkpoint is marketing collateral that totally disregards the basics of security – it’s like they hired an English major straight out of school and told them to start writing. Sensitive assets, confidential assets, proprietary assets – you can make a total mishmash as long as you mention compliance, SOX and HIPPA at least 3 times in the article.
Since the business situation, corporate culture and IT infrastructure of every company is different, we believe that it is incorrect to choose security countermeasures on the basis of product features – especially when vendors provide pseudo-risk-management justification for their offering – read Andrew Jaquith on the hamster wheel of pain
We submit that selection of security countermeasures requires measuring their effectiveness against a particular threat. Read more about this revolutionary idea on Preventing intellectual property abuse and you’ll see exactly how to choose a security product using a practical threat model – visit Practical Threat Analysis and download the free software.
Pillars of companies like Symantec, Websense, … are finance, legal and marketing. Nothing is really related to quality of their services/products … When they acquired new companies, very often their developpers leave them with the Intellectual Property. They had started to acquire / hire consultants and same events occurred … So I think they are about to loose ground against high value security companies providing their services in a more fair way, thanks to cloud computing.
Cyril – cyril@keross.com – http://www.keross.com
Cyrill
That’s a pretty strong statement – not that I disagree with you – I’ve been saying for a long time that the connection between companies like Symantec and technical excellence is accidental.
I’m curious how you see high value security companies and cloud computing working together to provide better, more cost-effective data security solutions for companies. Are there any particular firms on your radar?
Danny Lieberman
@admin
BEst example is a company like Qualys. They have a very good Vulnerability Assessment Tool that has used intensively SaaS model to bring an easy to use and efficient tool.
You can also check a company like catbird which is aggregating different technologies to provide all of ten through a single dashboard.
We are doing also the same with our portal where we also include Prof. Services for Ethical Hacking and Vulnerability Management. We profit then from the quality of specific resources and we use Internet and Cloud Computing to promote and deliver it worldwide.
We have been facing too much Vendor Marketing using fear and Analysis company influencing (Gartner for example) to trust them anymore. There are a lot of top notch companies worldwide that are just fantastic but unknown.
You are right this is a strong statement but after 15 years into this security vendor world, I can say this is nothing related to quality when these companies has to publish quarterly their results to their shareholders.
Cyril – cyril@keross.com – http://www.keross.com
Cyrill,
Qualys is indeed an outstanding example – I wonder how much traction they’re getting for their compliance SaaS. I imagine the core business is still network V/A. That is where Beyond Security excels also. I am checking out Catbird V-Security to see their offering as well. Do you know of any companies doing security in the cloud for data security (trusted insider threats)?
If you read this blog, then you know that I am highly critical of security vendors like Symantec and their industry analyst partners (like Gartner). Gartner and Forrester have a symbiotic relationship with vendors and IT departments to identify requirements, drive budgets and justify big spending on products from the big IT vendors that can afford Gartner and Forrester consulting services. it is not in Gartner’s interest to push a small vendor like Verdasys or Beyond Security who are technically outstanding but won’t or cannot pay Gartner consulting fees – witness Fidelis Security Systems for example in the data security space.
US companies spend $14BN / year on security and corporate governance activities related to their business software BPM, ERP, IT security, BI, etc, etc plus GRC stuff (this number courtesy of French Caldwell who works for…Gartner). Despite all the compliance and security spending in the US – security breaches are constantly increasing.
Having said that – I think that being a publicly-traded company is not a root cause for mediocre, ineffective products that are costly to maintain and often cause collateral damage.
I think the root cause for vendors like Symantec and Websense producing mediocre products is a focus on product features not on customer data security. It’s like women’s fashion – if its sexy, who cares if it’s uncomfortable. A woman can always go home and change into jeans and sneakers after dinner – but we’re using these products to protect sensitive digital assets and thats a 24×7 job.
Bruce Schneier has suggested regulation requiring companies like Microsoft to be responsible for software defects that cause security vulnerabilities.
Personally – I think the solution is (unfortunately) a really deep recession that will force companies to stop spending on proprietary, mediocre security products from companies like Symantec and Websense and consider
a) how much value at risk they really have and
b) what security countermeasures are really cost-effective.
Danny Lieberman
Danny,
Having worked into a publicly-trade company, I can tell you that quarterly they do not spend any minute explaining their technical achievements but only revenue ones … And they are emphasizing much much more their marketing strategy and sales model than simply their products … Take a look at their quarterly report, you will understand what there stakeholders wants to read
I think they will keep doing it until the market wants something else. This being said, I do have the impression that present crisis is pushing customers to value more efficiency of solutions than the brand itself. Which is making small vendors emerging.
Furthermore Internet is more and more used to find and evaluate solutions than Gartner, Forrester and other IDC Reports. “Small” vendors should focus their marketing on this media (trade shows are too expensive) and also change their sales strategy by replacing sales rep by educated techies. I explained this a bit on my blog if you wish to take a look and give me your comment : http://www.keross.com/synchronicity/?p=97
Cyril