Tuesday, May 5, 2009

RANT: Security Pixie Dust

I haven’t gone on a good rant lately – but it’s high time I let it out because it’s been building like the tension in the Ferrari F1 team.  I’ve been keeping a steady eye on the marketing efforts around “security stuff” as the economy has been tanking and I’d like to share with you some observations.

Perhaps in a stable economy, one where we’re not spending our great-great-great-grandchildren’s savings, these observations wouldn’t make me so nuts… but in light of corporate spending habits in such a climate I feel the need to call out these ridiculous happenings.

The crescendo of my madness was earlier today when I walked, errr…hobbled, through Chicago’s O’Hare International Airport slow enough to actually look at some of the signage and billboards.  I came up the escalator in Terminal 1 to be greeted by a WatchGuard Firebox ad and immediately I stopped and took note; then I took a picture just so I can have proof of this insanity.  After getting through security I was greeted overhead by a giant big-screen style video board running ads for none other than Symantec.  Symantec’s ad was a little less upsetting – and unfortunately I couldn’t get a good picture of it in spite of my efforts.

The Symantec ad basically said this … “We protect more corporations, systems and users than anyone else in the world”.  I then had a quick flashback to the last 3 big companies I worked at.  Not surprisingly Symantec’s logo was all over each one.  From dysfunctional desktop firewall/antivirus/anti-malware to a SIM, to some backup software – Symantec was everywhere.  I then recalled how much we all (in IT Security) complained that the products were crap and we could barely make it do what we needed it to do, much less what the sales guys had convinced our management it would do.  OK so fair enough – for better or for worse, Symantec had protected (or secured if you really stretch the meaning) each one of those enterprises.

Now let me take a minute to address WatchGuard’s “Complete Network Security In One Box” slogan in those big white letters.  First off, to you and I the insertion of the word network in that slogan means that it doesn’t actually protect against anything that doesn’t attack at the network layer.  The average business-person, however, does not quite see that subtle distinction.  They see the WatchGuard ad, and see that they can solve the “hacker problem” by plugging this box in… and nothing else.  How do I know this for such a fact?  I stood there for a few minutes and asked some random people in business suits.  I realize this isn’t a scientific poll – but it’s what I had to work with.  Perhaps I’ll make this a little more scientific in the near future if you readers think you want to read more.

Let me get to the point of my rant here for the sake of keeping this relatively brief – I hate few things more than when a vendor sells magic pixie dust.  I personally haven’t picked up a FireBox since about spring ’00 when I was working as a consultant and we replaced a few at some SMBs.  Not that I personally have anything against the FireBox because I do think that any UTM Firewall is as crappy as the next, but this type of advertising makes me mad as a hatter.  I realize full-well that in a contracting economy vendors scrap for as much business as possible, and business is business, but please stop over-selling your products.  Also, please realize that the way you advertise impacts not just your business but the entire industry … often negatively.  What that WatchGuard ad says to the unsuspecting business owner is “Hey, buy this box and forget about security” – which simply isn’t true!  Businesses have web applications, random portable user devices (iPods, etc), and a plethora of other threats that these UTM Firewall boxes simply don’t address.  To insinuate that your product is the magic security pixie dust is irresponsible, and actually does more harm than good.  …and don’t give me that “But we’re being honest and saying we only cover network security” crap… you know who you’re targeting here and know damn well that your target audience doesn’t understand the difference.  And this isn’t just a rant against WatchGuard because their ad was just the latest that caught my attention… this goes for all of your marketing teams that have that stupid “Security. Solved” mentality to your ads – you know who you are.

As a call to action, I urge everyone that sees one of these irresponsible ads – take a picture, post it somewhere… call them out.  If we as security professionals continue to allow this madness to seep into our industry – our already confusing talks with business leaders will be even more confusing when we have to tell them their magic red box does nothing to keep their credit card database safe… and that’s not just bad for us – it’s bad for business, period.

…and with that I’ll step off my soapbox, thanks for reading!


Michael Hamelin said...

The number of "One box solves all your security problems" slogans lately is really offending. I've always told people if security was so easy Microsoft would sell a box that just did it, but never did I think people would try and market a box for it. You can stand on your soapbox about this one anytime, we should all be shouting, it's just wrong.

Rafal Los said...

@Michael Hamelin:

First off - I'm flattered you read the blog.

Second, I just couldn't take it anymore. It's not just the UTM appliances, it's every vendor now. How often do you read "fully automated compliance" or "complete security solution" from hardware/software ... it just makes me crazy.