It's all pretty silly, but when the name of the game is perceived differentiation, there are no other options. Every vendor needs to re-educate the market as to why its product is great and everyone else's isn't, but that doesn't mean practitioners need to accept what they say. Practitioners should educate themselves about what a vendor really means. To facilitate this process, I'm proud to present my own guide to vendorbabble, or how I learned to stop worrying and love marketecture.
Freeze the market
Vendors often roll out big-time marketing initiatives when their products are no longer competitive in the feature/function wars. They're drawing attention to whatever shiny object they've just announced and not focusing on the fact that they're falling behind. They call this selling a "vision."
A great case in point is Cisco Systems Inc.'s TrustSec. Cisco was the first to really talk about network access control (NAC), though it was talking mostly about "admission control," or the concept of host-integrity checking. Two years later, the market has largely moved beyond that limited use case, though Cisco's product hasn't.
So what does Cisco do? Announce a new, cool initiative called TrustSec, which involves embedding a lot of this intelligence directly into the switches, providing a secure network fabric. The announcement represents little more than minor details that will appear in its product line during the next few years -- maybe. Regardless, it's a great way to stay relevant while the product capabilities catch up.
Being 2.0 in a 1.0 world
Another way vendors try to gain a leg up on their rivals is by painting competitors in a geriatric light. In other words, tell customers that other vendors are old and not ready to meet tomorrow's challenges. Of course, who knows what tomorrow's challenges will be?
This is what Symantec Corp. did with its Security 2.0 announcement in 2006. After the train wreck that was Symantec's acquisition of Veritas Software Corp., Big Yellow lacked a compelling strategy for the security side of its business, so it jumped on the 2.0 bandwagon and called its new strategy -- wait for it -- Security 2.0. Of course, that meant everyone else was Security 1.0. Brilliant! It would be even better if there were any truth to it.
The standards deception
One of the great uses of vendor doubletalk concerns standards. The idea is to come up with an interesting technology (or even a not-so-interesting technology) and get a bunch of technology partners to buy in, making it the de facto standard, then lobby a group like the Internet Engineering Task Force (IETF) to make it a formal standard. By the time any standard gets ratified, the ADD-ridden buying public is well past the original technology, but the vendor that controls the technology has been running to the bank selling a standard technology that isn't a standard.
Microsoft and Cisco are particularly guilty of this. For instance, consider NAC. Both Cisco (CNAC) and Microsoft (NAP) issued their own frameworks and got a bunch of technology companies to jump on board. The result: instant momentum and mindshare won. And Microsoft was talking about NAP more than a year before the technology was available.
What about the vendors that aren't in on the first set of partnerships and are losing the mindshare battle? They inevitably come up with another, multi-vendor "standard." This is right out of the Juniper Networks Inc. playbook. Juniper had no choice but to push the Trusted Computing Group (TNG) to produce its own NAC standard, since Cisco and Microsoft took the early lead.
If you can't fix it -- feature it
When vendors have a huge gap in their product lines that would be prohibitively costly to fill, they pull one of the oldest tricks in the book -- convince the market that those missing products are no longer important. Let's look at RSA's recent positioning around "information-centric security." A storage company (EMC Corp.) owns RSA, thus it makes sense to paint everything, so to speak, with a data-security brush. That positioning conveniently glosses over the issue that RSA never had a network security strategy in the first place.
The last in the lineage of vendorbabble is the age-old technique of rebranding. If the existing position in the market is represented by poor execution, a falling stock price and executive turmoil, then it's a perfect time to rebrand. Let's look at McAfee Inc. as exhibit No. 1. Little Red (as I like to call them) was a pretty crummy performer after CEO William Larsen left the company. McAfee brought in George Samenuk from IBM to clean up the mess, but he created his own mess with stock option backdating. The vendor then tried to move forward with a pithy new brand. This explains "Killer Security" as a tagline.
CA Inc. has undergone a similar experience. My prediction: it won't be long before Sourcefire Inc. and Secure Computing follow in these companies' footsteps, using the branding hammer to try to leave the past behind.
What is a security professional to do in the face of such doubletalk and vendorbabble? My best advice: ignore it and stay above the fray.
Focus on the problems at hand and how to solve them. When it's time to consider a security product, pay close attention to detailed feature lists, look at multiple competing products, conduct your tests and talk to other organizations with similar problems. There is no silver bullet to solve all the security problems, nor will there be.
Looking for a vendor with all the answers? Look no further. It doesn't exist.
About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also SearchSecurity.com's expert-in-residence on information security management. Get more information about his book, the Pragmatic CSO , read his blog, or reach him via e-mail at firstname.lastname@example.org.
This was first published in August 2008