Why blaming security vendors got old

In the six years I've been covering the information security community, I've been trained to look at vendors with deep skepticism. The goal has always been to interview end users about the thrills (and ills) of cybersecurity from the perspective of their own IT shops.

Talking to too many vendors was not always constructive because security vendors were always going to pitch their products and go for the next sale, no matter how high-minded and trends-based the discussion was going to be.

But my view on all this is beginning to change. Before you start calling me a sell out, consider the following:

  • 1. Many of the folks who were respected IT security administrators five years ago now work for vendors.
  • 2. Security vendors have always been more willing to talk to journalists like myself than the people in the trenches. It's not that they didn't want to talk. It's that to do so sometimes meant risking their jobs. Some of my friends who have crossed over to the vendor side now get to talk about things much more openly than they could before.
  • 3. In a majority of the data breach cases I've covered, the problem turned out to be failures of technology and policy within the company, not failures on the part of the vendor. An example of this is in my " Failure of security investments" podcast with fellow National Information Security Group (NAISG) board member Jack Daniel.

To be sure, there are still plenty of reasons to hold a vendor's feet to the fire.

One criticism I've heard from people is that too many vendors pitch themselves as data loss prevention (DLP) providers when their products don't necessarily fit the label.

Then there are times where vendor error causes all kinds of hell in the IT department. There was the McAfee signature update that went horribly awry a few weeks back. Then there was the story of a vendor who had made five sizable mistakes in its cloud strategy.

But in the bigger picture, I've made my peace with the vendor community.

As I mentioned, a lot of the end user and IT security administrators I used to quote in 2005 are now working for vendors themselves. Their career move, which some might describe as a shift to the dark side, meant they could take what they learned in the trenches and help the vendors they work for develop better technology. And that's what they have done.

Others have gotten their companies to participate in community events in bigger ways than they otherwise might have. Daniel's tenure at Astaro has been eventful in that he's gotten the company to sponsor bus trips to various security events like SchmooCon. That and other initiatives he has put a lot of effort into -- like the Security B-Sides events around the country -- have become so successful that Astaro went and made him "community development manager."

Another example is Erin Jacobs, former United Collections Bureau CSO and one of this year's CSO Compass Award recipients. Her side work on B-Sides and other events, as well as her Security Sociability blog got enough attention that she's since been hired by security services firm IOActive.

Finally, I've come to appreciate that some of the best security researchers work for one vendor or another. Working for the given vendor gives them resources they might not have had when they were on their own. When security vendor Rapid7 acquired the hugely popular Metasploit tool late last year, questions abounded as to whether this would diminish the quality of the tool or the work of its creator, HD Moore. I'm not so sure people are nearly as concerned about that now -- even if Moore gave his Source Boston 2010 keynote in suit and tie.

The big lesson is actually something we've all known for a long time -- that this is one community in which you need the vendors and analysts as much as the end users to make this whole thing work.

If this perspective makes me a sellout, so be it.

Read more about data protection in CSOonline's Data Protection section.

This story, "Why blaming security vendors got old" was originally published by CSO.

Copyright © 2010 IDG Communications, Inc.

Shop Tech Products at Amazon