Cybersecurity Products Rarely Live Up To Marketing Claims: RSA Panel (esecurityplanet.com) 34
A panel at this week's RSA Conference argued that 90% of security buyers aren't getting the efficacy from their products that vendors claim they can deliver.
Slashdot reader storagedude writes: Joe Hubback of cyber risk management startup ISTARI led both the panel and the study, which was based on in-depth interviews with more than a hundred high-level security officials, including CISOs, CIOs, CEOs, security and tech vendors, evaluation organizations and government organizations.
Hubback said that "90% of the people that I spoke to said that the security technologies they were buying from the market are just not delivering the effect that the vendors claim they can deliver. Quite a shocking proportion of people are suffering from technology that doesn't deliver."
A number of reasons for that product failure came out in the panel discussion, according to eSecurity Planet, but they can be boiled down to some key points:
- Cybersecurity buyers are pressed for time and most don't test the products they buy. "They're basically just buying and hoping that the solutions they're buying are really going to work," Hubback said.
- Vendors are under pressure from investors to get products to market quickly and from sales and marketing teams to make aggressive claims.
- On top of those pressures, it's difficult to architect tools that are effective for a range of complex environments – and equally difficult for buyers to properly assess these "black box" solutions.
Those conditions create an information asymmetry, said Hubback: "A vendor knows a lot more about the quality of the product than the buyer so the vendor is not incentivized to bring high-quality products to market because buyers can't properly evaluate what they're buying."
Hubback and fellow panelists hope to create a GSMA-like process for evaluating security product abilities, and he invited RSA attendees to join the effort.
Slashdot reader storagedude writes: Joe Hubback of cyber risk management startup ISTARI led both the panel and the study, which was based on in-depth interviews with more than a hundred high-level security officials, including CISOs, CIOs, CEOs, security and tech vendors, evaluation organizations and government organizations.
Hubback said that "90% of the people that I spoke to said that the security technologies they were buying from the market are just not delivering the effect that the vendors claim they can deliver. Quite a shocking proportion of people are suffering from technology that doesn't deliver."
A number of reasons for that product failure came out in the panel discussion, according to eSecurity Planet, but they can be boiled down to some key points:
- Cybersecurity buyers are pressed for time and most don't test the products they buy. "They're basically just buying and hoping that the solutions they're buying are really going to work," Hubback said.
- Vendors are under pressure from investors to get products to market quickly and from sales and marketing teams to make aggressive claims.
- On top of those pressures, it's difficult to architect tools that are effective for a range of complex environments – and equally difficult for buyers to properly assess these "black box" solutions.
Those conditions create an information asymmetry, said Hubback: "A vendor knows a lot more about the quality of the product than the buyer so the vendor is not incentivized to bring high-quality products to market because buyers can't properly evaluate what they're buying."
Hubback and fellow panelists hope to create a GSMA-like process for evaluating security product abilities, and he invited RSA attendees to join the effort.
Captain Obvious Was Here (Score:4, Insightful)
Has anything anyone ever ordered lived up to the brochure?
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
I would say a high proportion of security silver bullets are tiger repelling rocks in disguise. They are marketed as if just owning the very expensive thing makes you secure.
If the Weber grill was sold like the security solutions, they would claim that even the biggest kitchen klutz will become a five star master chef just by using the grill. They would very carefully word their ads to leave the impression that the grill would go out and get the items you most wanted for dinner and cook them to perfection a
Re:Captain Obvious Was Here (Score:4, Interesting)
Has anything anyone ever ordered lived up to the brochure?
In markets for professionals, yes. When you order a screw, a micrometer or a microcontroller from a not too shady source, it is very likely that it will behave as the specs say. But IT and IT security products are not professional markets as the buyers, on average, do not have the knowledge, skill and experience to actually assess product quality competently.
Re: (Score:2)
The laws of physics do not change, a 1mm is always 1mm, 3.3v is always the same potential difference, 85C is always the same temperature. Screws, micrometers and microcontrollers can easily be tested to meet their specifications.
Anti malware products are dealing with a continually evolving threat, and trying to mitigate flaws in other people's code that is also getting regularly updated. Some of the flaws are in the CPUs themselves.
What specification would you define that they could be tested against?
Re: (Score:2)
You both describe and miss the point here. Nice.
Re: (Score:1)
Well, okay, I'll re-ask for anything non-trivial. Standardized components can be robotically tested and inspected to fit a standard specification such that each specimen is almost a perfect clone.
Have you been to the RSA Conference? (Score:5, Informative)
What makes it worse is even some of the presentations at RSA and other conferences are basically all sales and marketing. I've seen presentations where it's about "New vulnerabilities in the landscape," and then it's a security engineer reading a script and pitchdeck written by sales and marketing, that gives no helpful technical information.
Combine this with a large quantity of security professionals and executives who buy based on business decisions, personal relationships and the good ol' boys and not sound technical and empirical justifications -- and you have conditions ripe for the state the article describes.
Ah, yes? (Score:3)
Most cybersecurity products try to suggest that if you buy this one magic product you do not need expensive IT security experts. That is, of course, completely untrue, because nothing but those experts can even evaluate what you need, what the threats are, what your assets are and how they need to be protected. And keep that evaluation updated as the situation changes. But this is the lie used to sell these products. In actual reality, this may eventually work when IT is mostly stable and established and technological advances move very slowly. Say, > 50 years from now.
Re: (Score:1)
Microsoft is successfully duping our org to use Power Platform point-and-click programming. Things like factoring, long-term maintenance, versioning, etc. are being pissed on and the PHB's don't seem to care or want to care.
Unrealistic Expectations (Score:3)
All those "CISOs, CIOs, CEOs" have unrealistic expectations. They would like the security products they buy to be a buy-once use-forever magical solutions that would grant them 100% bulletproof security with minimal involvement from any human being and definitely without having to spent any more money.
They don't understand that cybersecurity is a never-ending battle between new threats and the technological stack utilised and/or built by their company. It's a battle which requires a solid strategy, continuous research and development, fast adaptation, even quicker response and... infinite amounts of both technological, financial and human resources on an ongoing basis.
If your expectations are so detached from the reality then no wonder you end up disappointed.
Just use statistics (Score:2)
There's enough ransomware attacks that with mandatory reporting you could statistically check the quality of intrusion detection/prevention products.
Welcome to tools (Score:2)
That's the definition of a tool. It doesn't matter if we're talking about a kitchen gadget, or a power tool, or a software tool, or a household decorative element.
All tools work exactly as promised -- in exactly one very specific set of circumstances.
This screwdriver works with this type of screw, in this large a space, with this size of hand, in this type of glove.
This kitchen knife cuts this type of food perfectly and easily every time. If you know how to hold a kitchen knife (if you said "by the handle
Re: (Score:2)
One important thing to mention - using a tool usually requires a human operator, the requirement which most of the C-level executives are very uncomfortable with.
RSA's Cryptography Products ... (Score:4, Interesting)
Re: (Score:2)
But maybe the conference was intended just to candidly talk about this obvious stuff? /shrug
Best Security -- Microsoft Windows computers? (Score:2)
Re: (Score:2)
The built-in one and your brain. Neither of these are optional.
Re: (Score:2)
Linux. Windows cannot be fixed, as, for example, evidenced by that current zero-day vulnerability that is now waiting for an official patch for 14 days and has been actively exploited for nearly that long. Apparently not even MS can fix Windows code anymore without breaking lots of things...
Same As It Ever Was... (Score:3)
The harder the push, the poorer the product.
Re: (Score:2)
It gets quite scary when one remembers to really apply that.
Regulation + penalties for lying needed. (Score:1)
This is where capitalism fails "we the people". If you can't know what you're buying, then you can't direct your money to valid vendors. Companies have figured this out and there is nothing customers can do about it without help from our governments (who are all bought off by said companies).
And getting restitution shouldn't be limited to the already rich. Maybe if we stopped all the "make work" and duplication of effort (companies all keeping secret what they figured out), we could have that effort go s
Re: (Score:3)
Right. Just switch to Communism. That works so well!
Speaking of security nightmares
I'm not the first to point out this is obvious. (Score:2)
Think about it: to break into a secure system, you have to be smarter than the guy that secures that system. To secure the system, you have to be smarter than all the guys trying to break in.
To make money selling security software, you just have to be smarter than a PHB.
Re: (Score:2)
Actually, no. To break into a system you have to be smarter than the dumbest person that ever put in some hard-to-change functionality. See MS Windows for a nice example of that.
All marketing is a lie. (Score:2)
It starts when your father acquires a "#1 Dad" mug, and it never stops.
Cue: George Carlin on advertising.
Correction: (Score:2)
They have never lived up to their promises. The only people who weren’t compromised were either very lucky, or else they followed procedures that reduced their attack surface using other, non-commercial methods.
Firewall logs query (Score:1)
Cyber problems (Score:1)