By Art Reisman
In summary, he calls out all the vendor sales presentations with slides citing all the statistics as to why you should be scared. Here is the excerpt:
I want you to take out the last slide deck you either made, received, or reviewed on the topic of security. Now open it up and tell me if it fits the following mold:
- [Slides 1~4] – some slides telling you how horrible the state of information security is, how hackers are hacking everything, and probably at least 1-2 “clippings” of articles in recent media.
- [Slides 4~7] – some slides telling you how you need to “act now,” “get compliant,” “protect your IP,” “protect your customer data,” or other catch phrases which fall into the category of “well, duh.”
- [Slides 7~50+] – slides telling you how if you buy this product/service you will be protected from the threat du’jour and rainbows will appear as unicorns sing your praises.
Here’s the thing… did you find the slide deck you’re looking at more or less fits the above pattern? Experience tells me the odds of you nodding in agreement right now is fairly high.
And then he blasts all vendors in general with his disgust.
Ask yourself, if you write slide decks like this one I just described – who does that actually serve? Are you expecting an executive, security leader, or practitioner to read your slides and suddenly have a “Eureka!” moment in which they realize hackers are out to get them and they should quickly act?
I can certainly understand his frustration. His rant reminded me of people complaining about crappy airline service and then continuing to fly that airline because it was cheapest.
Obviously FUD is around because there are still a good number of companies that make FUD driven purchases, just like there are good number of people that fly on airlines with crappy service. Although it is not likely that you can effect a 180 degree industry turn you can certainly make a start by taking a stand.
If you get the chance try this the next time a Vendor offers you a salivating FUD-driven slide presentation.
Simply don’t talk to the sales team. Sales teams are a thin veneer on top of a product’s warts. Request a meeting with the Engineering or Test team of a company. This may not be possible, if you are a small IT shop purchasing from Cisco, but remember you are the customer, you pay their salaries, and this should be a reasonable request.
I did this a couple of times when I was the lead architect for an AT&T product line. Yes, I had some clout due to the size of AT&T and the money involved in the decision. Vendors would always be trying to comp me hard with free tickets to sporting events, and yet my only request was this: “I want to visit your facility and talk directly to the engineering test team.” After days of squirming and alternative venues offered, they granted me my request. When the day finally came, it was not the impromptu sit down with the engineering team I was hoping for. It felt more like I was visiting North Korea. I had two VP’s escort me into their test facility, probably the first time they had ever set foot in there, and as I tried to ask questions directly with their test team, the VP’s almost peed their pants. After a while the VP’s settled down, when they realized I was not looking to ruin them, I just wanted the truth about how their product performed.
FUD is much easier to sell than the product.