Problem solve Get help with specific problems with your technologies, process and projects.

How to look past information security vendor rhetoric

Security professionals are bombarded with messages from vendors (and their marketing messages) heralding sure-fire cure-alls for compliance and information security woes. So what's the best way to differentiate between a useful product and a useless slogan? In this special tip, security management expert Mike Rothman gives his advice.

Exacerbated by about 800 security companies that are chasing the same 1,000 customers, vendorbabble hammers security professionals, telling them what their companies' problems are.
What's the next big thing in security? Part of my job is figuring that out for my clients. Yet there is a huge issue in trying to be security's own Sherlock Holmes: the amount of "vendorbabble" that is constantly confusing everyone in this business. Exacerbated by about 800 security companies that are chasing the same 1,000 customers, vendorbabble hammers security professionals, telling them what their companies' problems are and using vendor-specific acronyms and vernacular to articulate how only the vendor's product can "solve" them.

It's all pretty silly, but when the name of the game is perceived differentiation, there are no other options. Every vendor needs to re-educate the market as to why its product is great and everyone else's isn't, but that doesn't mean practitioners need to accept what they say. Practitioners should educate themselves about what a vendor really means. To facilitate this process, I'm proud to present my own guide to vendorbabble, or how I learned to stop worrying and love marketecture.

Freeze the market
Vendors often roll out big-time marketing initiatives when their products are no longer competitive in the feature/function wars. They're drawing attention to whatever shiny object they've just announced and not focusing on the fact that they're falling behind. They call this selling a "vision."

A great case in point is Cisco Systems Inc.'s TrustSec. Cisco was the first to really talk about network access control (NAC), though it was talking mostly about "admission control," or the concept of host-integrity checking. Two years later, the market has largely moved beyond that limited use case, though Cisco's product hasn't.

So what does Cisco do? Announce a new, cool initiative called TrustSec, which involves embedding a lot of this intelligence directly into the switches, providing a secure network fabric. The announcement represents little more than minor details that will appear in its product line during the next few years -- maybe. Regardless, it's a great way to stay relevant while the product capabilities catch up.

Being 2.0 in a 1.0 world
Another way vendors try to gain a leg up on their rivals is by painting competitors in a geriatric light. In other words, tell customers that other vendors are old and not ready to meet tomorrow's challenges. Of course, who knows what tomorrow's challenges will be?

This is what Symantec Corp. did with its Security 2.0 announcement in 2006. After the train wreck that was Symantec's acquisition of Veritas Software Corp., Big Yellow lacked a compelling strategy for the security side of its business, so it jumped on the 2.0 bandwagon and called its new strategy -- wait for it -- Security 2.0. Of course, that meant everyone else was Security 1.0. Brilliant! It would be even better if there were any truth to it.

The standards deception
One of the great uses of vendor doubletalk concerns standards. The idea is to come up with an interesting technology (or even a not-so-interesting technology) and get a bunch of technology partners to buy in, making it the de facto standard, then lobby a group like the Internet Engineering Task Force (IETF) to make it a formal standard. By the time any standard gets ratified, the ADD-ridden buying public is well past the original technology, but the vendor that controls the technology has been running to the bank selling a standard technology that isn't a standard.

Microsoft and Cisco are particularly guilty of this. For instance, consider NAC. Both Cisco (CNAC) and Microsoft (NAP) issued their own frameworks and got a bunch of technology companies to jump on board. The result: instant momentum and mindshare won. And Microsoft was talking about NAP more than a year before the technology was available.

What about the vendors that aren't in on the first set of partnerships and are losing the mindshare battle? They inevitably come up with another, multi-vendor "standard." This is right out of the Juniper Networks Inc. playbook. Juniper had no choice but to push the Trusted Computing Group (TNG) to produce its own NAC standard, since Cisco and Microsoft took the early lead.

If you can't fix it -- feature it
When vendors have a huge gap in their product lines that would be prohibitively costly to fill, they pull one of the oldest tricks in the book -- convince the market that those missing products are no longer important. Let's look at RSA's recent positioning around "information-centric security." A storage company (EMC Corp.) owns RSA, thus it makes sense to paint everything, so to speak, with a data-security brush. That positioning conveniently glosses over the issue that RSA never had a network security strategy in the first place.

For more information:
Standalone antivirus products: What does the market look like?

Learn about Web application security vendor mergers and how they affect buyers.
When all else fails, rebrand
The last in the lineage of vendorbabble is the age-old technique of rebranding. If the existing position in the market is represented by poor execution, a falling stock price and executive turmoil, then it's a perfect time to rebrand. Let's look at McAfee Inc. as exhibit No. 1. Little Red (as I like to call them) was a pretty crummy performer after CEO William Larsen left the company. McAfee brought in George Samenuk from IBM to clean up the mess, but he created his own mess with stock option backdating. The vendor then tried to move forward with a pithy new brand. This explains "Killer Security" as a tagline.

CA Inc. has undergone a similar experience. My prediction: it won't be long before Sourcefire Inc. and Secure Computing follow in these companies' footsteps, using the branding hammer to try to leave the past behind.

So what?
What is a security professional to do in the face of such doubletalk and vendorbabble? My best advice: ignore it and stay above the fray.

Focus on the problems at hand and how to solve them. When it's time to consider a security product, pay close attention to detailed feature lists, look at multiple competing products, conduct your tests and talk to other organizations with similar problems. There is no silver bullet to solve all the security problems, nor will there be.

Looking for a vendor with all the answers? Look no further. It doesn't exist.

About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also's expert-in-residence on information security management. Get more information about his book, the Pragmatic CSO , read his blog, or reach him via e-mail at

This was last published in August 2008

Dig Deeper on Security industry market trends, predictions and forecasts

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.