Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

S#!T Some Security Vendors Claim

The information security space is a hot, fast-moving market; and with that heat and speed comes both good and bad.

The information security space is a hot, fast-moving market; and with that heat and speed comes both good and bad.

Demand for IT security skills is outstripping the market by more than a million job openings according to some experts, which means that, along with a notoriously small community of genuine experts who make a living working to protect (or exploit) high value data, the Peter Principle is often in full effect. As people rise to the level of their incompetence, they bring with them a lot of myth and misinformation—fear, uncertainty and doubt sown to sell products or preserve job security.

I’ve talked with a lot of frustrated CISOs who have to deal with the bluster. Good, competent professionals tasked with setting strategy and acquiring tools to keep their organizations’ systems and data safe. Their BS detectors are fine-tuned and their boots are high enough to wade through the thickest of it. Here’s a small sample of the claims they’ve been told that turns them off and that has the insidious effect of tainting by association every vendor that walks through the door.

Don’t Believe The Hype:

Buzzwords are the bane of the CISO’s existence. Whatever the latest trend is, every vendor tries to figure out a way to hitch their wagon to that star, whether it is machine learning, artificial intelligence, behavioral analytics, orchestration or whatever.

“The problem with buzzword bingo is that it diminishes the truly innovative work being done by a lot of good security companies who aren’t chasing trends but are actually solving problems,” one CISO told me. 

Out of Alignment:

A good technical sales representative knows their product and knows how to listen. Sometimes the CISO will encounter a pitch that doesn’t quite fit the product. Maybe it’s because the rep hasn’t taken the time to learn the product, or maybe it’s because the product team failed to convey the value of the tool they built. Either way, the result is often more hokum than hook—to the vendor’s detriment.

Advertisement. Scroll to continue reading.

“I remember one especially bad pitch from an endpoint security vendor with a product focused on identifying and preventing malicious files on endpoints using machine learning capabilities,” one CISO recalled. “Yet, the pitch was about replacing existing anti-virus vendors even though their product’s coverage was weak and the effort to implement the solution was extremely high.

Security Vendor Claims“Good security pitches start with a vendor that understands its product strengths and provides an honest assessment of how the solution aligns with customer needs,” the CISO continued. “A good pitch also includes fresh, unique approaches to existing problems.”

To Thine Own Self Be True:

A CISO’s mandate requires that they understand the makeup of their organization in order to assess and address risk. That means knowing the technical environment, how data moves within the systems, industry-specific threats and regulations and company culture. Once this knowledge has been acquired, a meaningful strategy can be drafted for the organization’s needs.

When a vendor comes in for a presentation and, after only a few minutes, claims to know precisely what your challenges are and how to solve them, that’s a major red flag for the confident CISO.

“I hear hyped up pitches all the time; powerful messages offering Holy Grail solutions. That’s why it’s important to ask tough questions and test the vendor rep’s spiel,” One frustrated CISO said. “You know your risks best, so keep the focus on what you need done first. Ask specific questions that can’t be answered with rehearsed lines. Once you have that alignment, focus on validation post-implementation and how well the controls will operate to continuously reduce your risks.”

Separating Fact from Fiction

What’s the best way to separate vendor facts from fiction? 

Once you put the vendor to the test, a CISO said, the pretenders are easy to spot. 

“When you start asking specific questions you find a lot of vaporware with no demo, or fancy interfaces being presented as new and novel security solutions with nothing under the hood. I am still surprised at the number of companies that make the effort to get in for a pitch but have no practical architecture for any feasible deployment in an existing environment.”

Another way is to “play the hacker.” My colleague, Itzik Kotler, CTO and co-founder at SafeBreach, states that, to not fall for snake oil claims, it is important to gain the hacker’s perspective. “By understanding what is possible from an adversary, you can better judge your defenses and controls, and quantify what’s working.” In other words, get your red team or “automated breach and attack simulation technologies” into the mix to test the claims from vendors. 

Finally, it’s important to connect with the experts behind the scenes.

“The onus is on us as CISOs when we hear the pitch to ask the vendor to go deep,” a CISO said. “For example, take a claim like machine learning and ask the sales team to pull in the CTO, chief scientists and other experts to help drill-down and understand the nature of the algorithms. This takes extra time, but it’s worth doing because we rely on efficacy of these technologies to help steer our decisions.”

The lesson for the CISO community—both the newbies and the grizzled old veterans—is to make the effort to stay on top of state-of-the-art for our industry. IT security evolves faster than we realize and the pace of innovation is astounding. It is important for CISOs to keep up with the hackers; it’s just as important to keep up with the hacks.

Written By

Danelle is CMO at Ordr. She has more than 20 years of experience in bring new cybersecurity technologies to market. Prior to Ordr, she was CMO at Blue Hexagon (acquired by Qualys), a company using deep-learning to detect malware, and CMO at SafeBreach where she helped build the marketing organization and define the Breach and Attack Simulation category. Previously, she led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also Director, Security Solutions at Palo Alto Networks, driving growth in critical IT initiatives like Zero Trust, virtualization and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of a Cisco IP communications book and holds 2 US patents. She holds an MSEE from UC Berkeley.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem