Radio personality Garrison Keillor always ends his fictional newscasts with the impossibly optimistic "and that's the news from Lake Wobegon, where all the women are strong, all the men are good looking and all the children are above average." It's a cute piece of fiction that encapsulates an important lesson in unrealistic expectations.
Hype is ingrained in today's culture, and too many infosec vendors are guilty of the "Wobegon Syndrome." They pander to unrealistic user requirements and make outlandish claims about their solutions.
The concept that a product can only succeed if it's perceived as "best in class" creates a ludicrous situation in which virtually every high-tech product and service claims that it's "the leader." The British company GFi claims to be a "leading e-mail and network security provider," but they distribute through Tucows. Certificate authority GlobalSign describes itself as "a leading trust services provider for Internet-based transactions," a typically obtuse abstraction for a firm in an overcrowded market. Whale Communications claims to be "the recognized leader in air-gap security technology," a safe claim for a product that may never be part of a recognized market.
Is the NetGuard firewall truly "acknowledged worldwide as a leading firewall product?" (It's offered by LanOptics, "a leading supplier of hubs.") Defunct firewall-maker ANS had claimed to have a leading product when its installed base of Interlock firewalls was less than 100 systems. Check Point can certainly claim to have the largest share of the firewall market, but this assertion, made loudly and often, provides absolutely no insight into why its product might be different from or better than others.
Florid press releases alone do seem inadequate in building product demand, which is why vendors usually resort to the dreaded white paper -- the assumption being, marketing claims are somehow substantiated by "objective" explanation. Well-heeled vendors can afford to buy objectivity, purchasing it from market analysts and organizations like National Software Testing Laboratories, "the recognized brand name in the testing arena." NSTL's verbiage explains that "Most of the leading providers leverage their reputation on their technology," and that NSTL can "objectively test your product or solution, giving you the data needed to support your marketing claims." I think I know what NSTL meant to say, but I wouldn't want to explain to my boss that I based a buying decision on research purchased by my supplier to support its own marketing claims.
Or, how about those slick, vendor-produced ROI studies? They're cheap to produce because real research is neither needed nor desirable. The last time I worked for a software vendor, our sales staff demanded silver bullets ... er, I mean ... they requested a document that made a compelling and incontrovertible business case that our product was worth more than its price tag. Our VP of sales explained that our prospective customers "begged" for something to give their boss so they could buy our product. This meant devising an elaborate estimate for the time hypothetical buyers would spend administering passwords without our product, and the cost savings from good system hygiene through the use of our product.
Weren't those prospects savvy enough to ask how in the world is it possible to determine the life-cycle cost for a product that had never shipped?
Instead of hyperbole, what would happen if vendors proudly differentiated themselves from their competitors by discussing their product's quality, utility or -- heaven forbid -- price? Can't they provide a compelling justification for our patronage?
I challenge sellers to have the courage to create messages of substance. Stop wasting our time with meaningless jargon.
I challenge buyers to have the strength of character to recognize an unclothed emperor. You're not dealing with trendy kitchen gadgets here; you're responsible for the protection of your information infrastructure. You're in a position of trust, and that means you must have higher standards.
About the author:
Jay Heiser, CISSP, works for a large European Bank in London, England. His most recent book is Computer Forensics (Addison-Wesley, 2001).