For security firms, even small mistakes are bad marketing

This is a repost from IANS Faculty Member, Ed Moyle's blog post, "For security firms, even small mistakes are bad marketing", available on the Security Curve blog.

I’m interested in the overall reactions that security firms get from the community at large. All of us have been hanging on what’s going on over at RSA of course, and let’s not forget what happened to HBGary. These are pretty serious so we tend to notice them, but there are tons of issues that are much smaller like this that don’t hit the headlines in such a tremendous way. Yesterday, for example, there was a disclosure about some problems with McAfee’s website.

It was stuff you’d see a lot of places (a few information disclosures, an XSS, and an internal hostname disclosure), but still sufficient to get pretty broad attention.  Which interests me.  Because there’s a perception when it comes to security firms that they are somehow going to be more secure than the next guy.  We, the buyers, expect that folks who sell security tools or services are somehow superior to everyone out there. It’s a common phenomenon: we expect the preacher not to look at porn, we expect the doctor not to smoke, we expect our hair stylist not to have a bad perm, and we expect our dentist to have all their teeth.  So really, a big enough hack – for a security firm – can be the end of the line.

Which really when you stop and think about it isn’t necessarily fair.  Two reasons for this:

1. Hacked vs. Not-Hacked is not an effective instrument to measure security knowledge, ability, or product strength.  In other words, just because somebody gets hacked doesn’t mean they failed to protect their environment – and the fact that they did get hacked doesn’t mean anything other than that somebody wanted to get in bad enough.  Say you’re a cop and someone breaks into your house… should you get fired?  No, right?  Because cops are not necessarily expected to have a fortress-like home that can’t be broken into.
2. Sometimes knowledge of a hack means better security vs. weaker.  Two scenarios for you; which would you prefer to have as your security vendor:
   • Vendor A – Vendor A takes security very seriously since they sell security tools.  They notice one day in their centrally-managed and reviewed log files that they have a possible hacker in their environment.  They confirm this by tracing activity through multiple sets of logs using multiple assessment and investigative tools.  They determine the extent of the damage by analyzing the attack and they push out countermeasures using a defined remediation process.  They disclose this attack to customers.
   • Vendor B – Vendor B has no security tools.  Someone suggests that they look into improving the security of the environment (because they are, after all, a security vendor).  That idea is shot down and everyone at the company laughs about how “the chumps” (i.e., their customers) won’t know the difference.  They’ve had attackers with root-level access to their environment for years; however, nobody knows that because they don’t use any security or monitoring tools whatsoever.  They don’t disclose any attack to customers.

Anyway, my point here is that unfortunately a hack or some other security issue is bad marketing for a security vendor – and in some cases, can be a death-blow.  But it also has a potential upside if it’s not a death blow.  Why?  Because bad marketing does not mean bad security…  It may or may not be a sign of bad security or a mis-functioning product, but it could also just be perception.  Being a fan of buying stuff when it’s cheap (for example, I still have the BP stock I bought last summer when it was 30 dollars a share,) I think it’s important for folks to think about how they can use these situations to their advantage…  point being, after a hack could be a time to get good pricing on products/services – that is, of course, unless the company providing them gets too much impact and they go out of business.

Image Source: morenewmath.com