Todays Rothman Fable: The Country Bumpkin Security Buyer and the Security Snake Oil Salesman
Ya gotta love Mike Rothman! Even when I agree with him, I disagree with him. In todays Daily Incite, Mike goes off on New Boundary Technologies for trying to peddle the rubber stamp for PCI compliance. Mike tells us that most vendors trade on FUD and the new PCI standards are just the latest in a long line of examples on this point. Mike then goes off about, that there is no such thing as a silver bullet on compliance. It is a byproduct (OK, he uses the term happenstance, but I am a plain kind of guy) of good, best practices in security. Surprise, Mike I agree with you! When I first started in the security business years ago, FUD was certainly the driving force in selling security. Certainly, some vendors still resort to FUD as the compelling reason of last choice. I do think that there is no silver bullet to compliance. There are no HIPAA or PCI police to regulate people making wild claims, though there are PCI certified tools you can use to help with PCI compliance.
Where I disagree with Mike, is on two fronts. First off vendors who have spent some time on these compliance issues and are in this game for the long run, can do it right. Not to blow our own horn, but at StillSecure, we are actually in the middle of PCI campaign right now. On our web site we have some great material that talks about the specific PCI security requirements, a matrix showing you how a specific StillSecure solution matches up to the requirement, a good whitepaper on PCI complaince and a whole lot more including some tips on passing an information security audit. We don't claim to be the be all and end all to PCI compliance and we don't claim that you will fail your audit without using our products. However, we can help. This is not FUD, this is not snake oil sales, this is working hard to give customers what they ask us for and solve their everyday problems. Sorry for the StillSecure commercial, but it was the best example I could find.
I said I disagree with Mike on two fronts, here is the second. Mike and his friend Rich Mogull (yeah I saw the second post on this about liars and crack) make the point, that it is the greedy, lying, scheming security vendor who is duping the poor, innocent security buyer who just fell off the Turnip Truck. Hey guys, they may have fallen off the truck at night, but it wasn't last night! Let me give you another view on this. How come no matter what the vendor develops, the customer always wants what is either in the next release or wants some custom feature that they decide is a must have for them. They push the vendor to get the most features for the least price and put as much hair and strings on the deal they can. After all they don't want to get taken advantage of. They buy the product knowing that the functionality they say they want may not be fully baked yet, but they want it now and when it does not work as they want, the security vendor fooled them? Mike was right originally when he said it was about mismatched expectations. However, those expectations are as often set up by the buyer, as they are the seller. It takes two to tango boys and one can't always blame the big bad vendor, even if the other guy is paying your salary.
Editors Note: thanks to David Shiflet, In the Turnip Truck - for providing the book I doctored up.