Dealing with the Security Vendor Merry-Go-Round

I had the opportunity to listen to a number of security vendors pitch their stuff and some of the recent Merry-Go-Round sounds pretty impressive until you start digging into it. Here are a few of the stories with names and specifics redacted to protect the innocent.

Vendor One

This provider of security stuff energized their strategy around machine learning and data science and made it the centerpiece of their products. And, truth be told, it's actually quite a good strategy.

I'm not sure about the execution as I did not have the opportunity to get my fingers, hands, and brain dirty playing with the stuff and have not had the opportunity to talk with some of their customers who've had the opportunity to do likewise. What I don't know is whether any customers have yet used it as the vendor would not provide any insight into customer uses: usually not a good sign. I sure hope they move to reality soon.

So, I'll pass on judging where along the path this vendor is in transforming what has been a pile of disconnected point products into something that can be powered by patterns found in data. But, I'm hoping they get there.

Vendor Two

A second vendor I recently talked with has this great workflow system for responding to security incidents that pulls data from nearly any incident source, integrates with common ticketing systems, integrates data from leading vulnerability scanning systems, and with leading end-point and gateway security controls. Net stuff, huh?

The only problem is the productbis solving yesterday's problem. It throws very expensive software plumbing into a mix of unconnected systems to automate the task of responding to a security incident. The rate at which humans canĀ  operate its workflows will be vaporized by robotic process automation and forms of digital labor in the not too distant future. And, when this occurs the value of all this complex integration software - and then vendors - will be up in smoke: not to say the same will happen to the CISOs and CIOs who signed off on the purchases and costs to integrate and deploy this octopus.

It's very hard to tell people their baby is ugly, but this one will be when it grows up.

Vendor Three

A third vendor I spoke with recently is a well respected brand who went out of their way to tell me how great they were in security, even through this is not their primary line of business. After carefully and attentively listening to the pitch I asked some simple questions about their customers, business partners and an bit more detailed explanation of what the products did and how they did it. The responses and further follow-up questioning resulted in the admission the vendor had not yet brought the product to market, that the products were still on the PPT drawing board, and was in "concept testing" with me being an obvious subject under test.

Vendor Four

I met with this vendor about two years ago when they were operating in stealth-mode. For those of you unfamiliar with this, it is sort of like a caterpillar before it becomes a butterfly. It is a time during which a lot of mistakes can be made in trying to sort out what's going to stick in the market. This vendor just shipped their first release product about six months ago, a full year and a half after I first met with them. During this time the chutzpah about slaying the dragons was loud and center with the CEO of the company and this trait remains front and center today. I wish them the best.

Vendor Five

This vendor claims to be on the forefront of software and data analytics that driving insight for its customers. The truth is the vendor is nothing but a hardware job shop trolling for customers who want to buy devices at the lowest prices. It's hard to shake the dichotomous picture between what is stated on the vendors website and what its customers actually experience. It's like an alternate universe, or in the contemporary vernacular: alternate facts!

Why do I tell these stories?

Well, one reason is to provide some insight into the world of technology vendors. It's sometimes not a pretty sight, while at other times it's full of promise that is not yet being tested in the market, and at still other times it is a jaded exercise of chasing weaknesses that results in orders and market share for the vendor despite what it does to the customer. This merry-go-round has been going on for centuries and is still going on. If you are a buyer of IT products and security software or services, it's probably a good idea to be a bit jaded and circumspect: it will pay big career dividends.



Leave a Reply

You must be logged in to post a comment.

Featured Research

Spend on Security

Is your organization underspending on information security? If you’re like most, spending on information security lags far behind other priorities. Only during the past few years has spend on information security started to increase, but it still lags behind. In this Research Report, Wellington summarizes findings from research conducted with thousands of organizations to highlight

The Wizards of Tech

Find out how the unspoken issues of culture, incentives, business strategy, and people impact your life, and the utility of the technology products and services you rely on to operate your business. Download the full report – The Wizards of Tech – today!