Forrester Research, in a recent pull-no-punches blog post, called out cybersecurity vendors for not merely telling IT executives things that are not true, but for being so clueless about enterprise IT that they actually believe their own bogus hype.
This raises a thorny issue. Even when vendors don’t understand business tech needs, IT directors and C-suite leaders certainly should. So why does vendor spin work with an audience that knows better? The most likely answer: lying and exaggerating is so ludicrously common for so many vendors — especially the big tech companies — that it’s impossible to ding any one vendor for lying.
There are also likely corporate political issues at play. CIOs, IT directors, and CISOs all know that, overwhelmingly, they have a very limited amount of time in those roles, where turnover happens every 18 months or so. So, for them to get their bonuses and other incentives, they must play it safe.
For example, let’s say a CISO believes the best option for his or her company is a relatively small, two-year-old vendor. If the CISO makes that choice and something goes wrong, the CEO is likely to blame the CISO. But if that CISO chooses a Microsoft or Oracle or Google and something goes wrong, the vendor likely gets the blame. (There’s a reason the industry motto used to be, “Nobody ever got fired for buying IBM.”)
Allie Mellen, Forrester’s principal analyst for security and risk, authored the recent post about vendors and refers to their falsehoods as “The Blob.”
“The Blob represents a group of people that are so deeply caught up in their own echo chamber they have become one unit that self-reinforces a set of ideas,” Mellen wrote. “They are also often out of touch with those actually doing the work, so caught up in their own thought experiments that they fail to see the reality on the ground: a group of people that have simmered in the industry for much if not all of their careers to the point where the lines between vendor marketing messages and reality have completely faltered.”
She offered some examples of this nonsense: “SIEM is dead.” Or, “AI solves the detection problem.” Or, ”You don’t need detection if you have good prevention.” Or, “The autonomous SOC/automation will take care of that talent shortage for you.”
In an interview, Mellen said IT and security execs almost always recognize the lies for what they are, but ignore them and make decisions based on whatever meaningful details they can unearth. She argued that execs must double down on networking with peers and use whatever tactics they can to independently identify companies that have already made a purchase or at least did test runs. (Insisting on speaking with a vendor’s engineers is another good way to try and get at the truth, she said.)
Michael Oberlaender, a CISO for eight enterprises and a board member of the FIDO Alliance, agrees with Mellen’s argument. But he questions whether…
2023-09-26 05:00:04
Post from www.computerworld.com rnrn