Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security IT

Cybersecurity Products Rarely Live Up To Marketing Claims: RSA Panel (esecurityplanet.com) 34

A panel at this week's RSA Conference argued that 90% of security buyers aren't getting the efficacy from their products that vendors claim they can deliver.

Slashdot reader storagedude writes: Joe Hubback of cyber risk management startup ISTARI led both the panel and the study, which was based on in-depth interviews with more than a hundred high-level security officials, including CISOs, CIOs, CEOs, security and tech vendors, evaluation organizations and government organizations.

Hubback said that "90% of the people that I spoke to said that the security technologies they were buying from the market are just not delivering the effect that the vendors claim they can deliver. Quite a shocking proportion of people are suffering from technology that doesn't deliver."

A number of reasons for that product failure came out in the panel discussion, according to eSecurity Planet, but they can be boiled down to some key points:

- Cybersecurity buyers are pressed for time and most don't test the products they buy. "They're basically just buying and hoping that the solutions they're buying are really going to work," Hubback said.

- Vendors are under pressure from investors to get products to market quickly and from sales and marketing teams to make aggressive claims.

- On top of those pressures, it's difficult to architect tools that are effective for a range of complex environments – and equally difficult for buyers to properly assess these "black box" solutions.


Those conditions create an information asymmetry, said Hubback: "A vendor knows a lot more about the quality of the product than the buyer so the vendor is not incentivized to bring high-quality products to market because buyers can't properly evaluate what they're buying."

Hubback and fellow panelists hope to create a GSMA-like process for evaluating security product abilities, and he invited RSA attendees to join the effort.

This discussion has been archived. No new comments can be posted.

Cybersecurity Products Rarely Live Up To Marketing Claims: RSA Panel

Comments Filter:
  • by Tablizer ( 95088 ) on Sunday June 12, 2022 @01:38PM (#62613596) Journal

    Has anything anyone ever ordered lived up to the brochure?

    • Filed Under: No Shit Sherlock.
    • My Echo lawn equipment and Weber grill have both exceeded my expectation based on the manufacturer claims. My Samsung TV has been great too. I have had plenty of disappointments though so your point is well taken.
      • by sjames ( 1099 )

        I would say a high proportion of security silver bullets are tiger repelling rocks in disguise. They are marketed as if just owning the very expensive thing makes you secure.

        If the Weber grill was sold like the security solutions, they would claim that even the biggest kitchen klutz will become a five star master chef just by using the grill. They would very carefully word their ads to leave the impression that the grill would go out and get the items you most wanted for dinner and cook them to perfection a

    • by gweihir ( 88907 ) on Sunday June 12, 2022 @02:02PM (#62613636)

      Has anything anyone ever ordered lived up to the brochure?

      In markets for professionals, yes. When you order a screw, a micrometer or a microcontroller from a not too shady source, it is very likely that it will behave as the specs say. But IT and IT security products are not professional markets as the buyers, on average, do not have the knowledge, skill and experience to actually assess product quality competently.

      • by AmiMoJo ( 196126 )

        The laws of physics do not change, a 1mm is always 1mm, 3.3v is always the same potential difference, 85C is always the same temperature. Screws, micrometers and microcontrollers can easily be tested to meet their specifications.

        Anti malware products are dealing with a continually evolving threat, and trying to mitigate flaws in other people's code that is also getting regularly updated. Some of the flaws are in the CPUs themselves.

        What specification would you define that they could be tested against?

      • by Tablizer ( 95088 )

        Well, okay, I'll re-ask for anything non-trivial. Standardized components can be robotically tested and inspected to fit a standard specification such that each specimen is almost a perfect clone.

  • by Midnight_Falcon ( 2432802 ) on Sunday June 12, 2022 @01:48PM (#62613618)
    Those ineffective vendors sponsor it. The conference "expo hall" is an absolute shitshow of every cybersecurity vendor imaginable with booths, shouting and rallying and performing stunts etc to draw people in. Salespeople will jump over the booth and literally try to grab some folks if they see their badge having a company name they like. If you let anyone "scan your badge" then you will receive sales followup calls for a year, even if at the conference you explain you have no use case for their product.

    What makes it worse is even some of the presentations at RSA and other conferences are basically all sales and marketing. I've seen presentations where it's about "New vulnerabilities in the landscape," and then it's a security engineer reading a script and pitchdeck written by sales and marketing, that gives no helpful technical information.

    Combine this with a large quantity of security professionals and executives who buy based on business decisions, personal relationships and the good ol' boys and not sound technical and empirical justifications -- and you have conditions ripe for the state the article describes.

  • by gweihir ( 88907 ) on Sunday June 12, 2022 @01:59PM (#62613626)

    Most cybersecurity products try to suggest that if you buy this one magic product you do not need expensive IT security experts. That is, of course, completely untrue, because nothing but those experts can even evaluate what you need, what the threats are, what your assets are and how they need to be protected. And keep that evaluation updated as the situation changes. But this is the lie used to sell these products. In actual reality, this may eventually work when IT is mostly stable and established and technological advances move very slowly. Say, > 50 years from now.

  • by devslash0 ( 4203435 ) on Sunday June 12, 2022 @02:04PM (#62613640)

    All those "CISOs, CIOs, CEOs" have unrealistic expectations. They would like the security products they buy to be a buy-once use-forever magical solutions that would grant them 100% bulletproof security with minimal involvement from any human being and definitely without having to spent any more money.

    They don't understand that cybersecurity is a never-ending battle between new threats and the technological stack utilised and/or built by their company. It's a battle which requires a solid strategy, continuous research and development, fast adaptation, even quicker response and... infinite amounts of both technological, financial and human resources on an ongoing basis.

    If your expectations are so detached from the reality then no wonder you end up disappointed.

  • There's enough ransomware attacks that with mandatory reporting you could statistically check the quality of intrusion detection/prevention products.

  • That's the definition of a tool. It doesn't matter if we're talking about a kitchen gadget, or a power tool, or a software tool, or a household decorative element.

    All tools work exactly as promised -- in exactly one very specific set of circumstances.

    This screwdriver works with this type of screw, in this large a space, with this size of hand, in this type of glove.

    This kitchen knife cuts this type of food perfectly and easily every time. If you know how to hold a kitchen knife (if you said "by the handle

    • One important thing to mention - using a tool usually requires a human operator, the requirement which most of the C-level executives are very uncomfortable with.

  • by Slayer ( 6656 ) on Sunday June 12, 2022 @02:44PM (#62613694)
    It's quite funny, that such a complaint is filed at the RSA conference, when RSA accepted payment to push a cryptographic standard to its customers, which arguably did not "live up to its marketing claims" [cloudflare.com].
  • What do you recommend? What is the best security software for Microsoft Windows computers?
    • by splutty ( 43475 )

      The built-in one and your brain. Neither of these are optional.

    • by gweihir ( 88907 )

      Linux. Windows cannot be fixed, as, for example, evidenced by that current zero-day vulnerability that is now waiting for an official patch for 14 days and has been actively exploited for nearly that long. Apparently not even MS can fix Windows code anymore without breaking lots of things...

  • by divide overflow ( 599608 ) on Sunday June 12, 2022 @05:37PM (#62614084)
    There is a saying in advertising:
    The harder the push, the poorer the product.
  • This is where capitalism fails "we the people". If you can't know what you're buying, then you can't direct your money to valid vendors. Companies have figured this out and there is nothing customers can do about it without help from our governments (who are all bought off by said companies).

    And getting restitution shouldn't be limited to the already rich. Maybe if we stopped all the "make work" and duplication of effort (companies all keeping secret what they figured out), we could have that effort go s

  • Comment removed based on user account deletion
    • by gweihir ( 88907 )

      Actually, no. To break into a system you have to be smarter than the dumbest person that ever put in some hard-to-change functionality. See MS Windows for a nice example of that.

  • It starts when your father acquires a "#1 Dad" mug, and it never stops.

    Cue: George Carlin on advertising.

  • They have never lived up to their promises. The only people who weren’t compromised were either very lucky, or else they followed procedures that reduced their attack surface using other, non-commercial methods.

  • I am a beginner in cybersecurity. I have a huge firewall log file(14GB). I have to find out which are all the source IP have sent maximum bytes (accumulated) to (destination IP) and tabulate the top 10 results in descending order along with additional details like Date, time, service, country. For example , IP-1 have sent 70bytes on first request and 40bytes on second request, IP-2 have sent 90 bytes on first request and 10 bytes on second request. So, IP-1 is the one who sent max bytes accumulated (110byte
  • I passed through cyberbullying, and the unique thing which helped me to go over it was the free essays about this subject that I read on the Artscolumbia service. If anyone needs moral support besides cyber security products, then https://artscolumbia.org/free-essays/cyber-bullying/ [artscolumbia.org] is the ideal source of information for this topic. Additionally, the expert writers help me with my academic homework by providing excellent essay papers with reliable data. I trust this service because I receive only A grades d

The gent who wakes up and finds himself a success hasn't been asleep.

Working...