“Look around the show, you’ll see a lot of ambulance chasing from vendors”, Maiffret says with disdain. “Snowden made a conversation happen, and the vendor community is responding with marketing messages”.
“Target…Snowden…The threats haven’t changed, but the marketing messages have”, he observes.
And this, he tells me, is the worst thing about the information security industry. “There’s such a lack of honesty. Not every company solves every problem for everybody, that’s just bullshit. I don’t envy infosec professionals for having to get through the vendor clutter”.
Most vendors, he tells me, “feel the need to say they’d have prevented the Snowden revelations or the Target breach”, but they wouldn’t, he says with conviction. “It doesn’t make them more viable, it’s just disingenuous. Do they realize their sales pitch is hollow?”, he asks rhetorically. “No one product would have fixed either issue. People are over-simplifying it.”
BeyondTrust, to the contrary, he says, base their relationships with clients on honesty and transparency. “People like doing business with us because we’re not full of shit”, he says. “We like to tell our customers what we don’t do, not just what we do.”
And it works both ways. BeyondTrust choose their industry partners based on the very same criteria: trust, and consistency in their message. “Honesty equals longevity. We know what we’re not doing great and we work on fixing it.”
One vendor he does choose to give kudos to is FireEye. “They’re doing great. There’s a reason they grew as fast as they did”, he says.
Vendors he speaks less highly of are those that rely on acquiring innovation. “Symantec will continue to buy their way to relevance. These are not the companies we should look to for innovation.”
But whilst new technologies are important, it’s essential not to dismiss legacy technologies, Maiffret advises. “Everyone is looking for the new advanced thing, but forgetting about the basics. Anti-virus stops the noise and some of the bad stuff in the world. A businesses’ biggest challenge is known security weaknesses.”
Security budget should be assigned on the following criteria: what’s your adversary, and what is your risk.
Marc Maiffret, it has been a pleasure.