Forrester Research, in a recent pull-no-punches blog post, called out cybersecurity vendors for not merely telling IT executives things that are not true, but for being so clueless about enterprise IT that they actually believe their own bogus hype.
This raises a thorny issue. Even when vendors don’t understand business tech needs, IT directors and C-suite leaders certainly should. So why does vendor spin work with an audience that knows better? The most likely answer: lying and exaggerating is so ludicrously common for so many vendors — especially the big tech companies — that it’s impossible to ding any one vendor for lying.
There are also likely corporate political issues at play. CIOs, IT directors, and CISOs all know that, overwhelmingly, they have a very limited amount of time in those roles, where turnover happens every 18 months or so. So, for them to get their bonuses and other incentives, they must play it safe.
For example, let's say a CISO believes the best option for his or her company is a relatively small, two-year-old vendor. If the CISO makes that choice and something goes wrong, the CEO is likely to blame the CISO. But if that CISO chooses a Microsoft or Oracle or Google and something goes wrong, the vendor likely gets the blame. (There’s a reason the industry motto used to be, “Nobody ever got fired for buying IBM.”)
Allie Mellen, Forrester’s principal analyst for security and risk, authored the recent post about vendors and refers to their falsehoods as “The Blob.”
“The Blob represents a group of people that are so deeply caught up in their own echo chamber they have become one unit that self-reinforces a set of ideas," Mellen wrote. "They are also often out of touch with those actually doing the work, so caught up in their own thought experiments that they fail to see the reality on the ground: a group of people that have simmered in the industry for much if not all of their careers to the point where the lines between vendor marketing messages and reality have completely faltered.”
She offered some examples of this nonsense: “SIEM is dead." Or, "AI solves the detection problem." Or, "You don’t need detection if you have good prevention." Or, “The autonomous SOC/automation will take care of that talent shortage for you.”
In an interview, Mellen said IT and security execs almost always recognize the lies for what they are, but ignore them and make decisions based on whatever meaningful details they can unearth. She argued that execs must double down on networking with peers and use whatever tactics they can to independently identify companies that have already made a purchase or at least did test runs. (Insisting on speaking with a vendor’s engineers is another good way to try and get at the truth, she said.)
Michael Oberlaender, a CISO for eight enterprises and a board member of the FIDO Alliance, agrees with Mellen’s argument. But he questions whether the percentage of IT and security leaders who see through the falsehoods is that high. “Don’t assume that all CISOs are of the same quality; they all share the same titles, but not the same experiences,” said Oberlaender, who is also the author of Global CISO: Strategy, Tactics and Leadership.
Some executives may be newbies to the job, others may not have a meaningful foundation in technology or security. “There is the need for the knowledge and understanding to vet and validate the vendor claims. Some actually believe the Kool-Aid that the vendors tell them,” he said.
It's a valid point, but the reality may not be so black and white. There is believing and then there is really wanting to believe so much that you start to talk yourself into actually believing. If the enterprise needs a piece of software to do XYZ and you have a vendor willing to put in writing that their product delivers that, choosing to believe could make your life so much easier.
A concrete approach, Oberlaender said, is to push proofs of concept (POCs) as much as possible. “Try it out in your environment” and push back against vendor restrictions, such as an arbitrary time limit on testing. “Typically, meaningful POCs take longer than 90 days.”
He also urged enterprises to push for enough funding to do POCs with “at least four or five vendors.”
Another caution: IT decision-makers should be suspicious of vendors pushing non-disclosure agreements (NDAs). You'll want to talk with others who have done POCs to understand what they learned — if you don’t want them signing an NDA, should you? It also raises questions about what the vendor is worried you'll say. Note: Asking for an NDA is different than insisting on one.
More broadly speaking, when trying to sift through the vendor hype, keep in mind these key questions: How many people will you need to manage this offering? How well does it play with the apps and tools in your environment? How much hand-holding is required and how does that affect the total cost of ownership?
The simple truth is that a seemingly less powerful option might be the better choice if it requires less attention, behaves itself and doesn’t cause lots of conflicts and other problems. Your team has limited time to put out fires.
In a LinkedIn discussion on this topic, Derek Andrews (director of cybersecurity operations and incident response for a large nonprofit he declined to identify) put it this way: “The blob is the result of a crisis among IT leadership that has a technical understanding that's 20 years old. They fall prey to marketing hype because they just don't understand the reality of the products they're buying and problems they're supposed to solve and the problems they will create. This is why so many sales teams do not want to pitch when engineers are in the room or on the call. It's too hard for them to sell magic crystals and FUD.
"Forrester and Gartner are not without fault in this blob problem, as in many ways they've helped create it.”
Andrews’ point that industry analysts share at least some of the blame for hype is not without merit. And I must admit that tech journalists must be careful, too, not to reproduce and amplify a vendor’s unverified claims.
With so much hype coming from so many directions, it's imperative that CIOs and CISOs push hard on finding objective detaIls so they know the best direction to take.
As Mellen, the Forrester analyst, put it in her post: "...There’s good news: It doesn’t have to be this way! You too can help stop the spread of The Blob. ...Listen to a practitioner. Attend talks that get into the nitty gritty — not theoretical, but actual technical problems. Challenge the status quo and think critically and deeper than the one-off comments you hear."