The Coming Backlash Against Information Security Vendors

Last week I spoke at a private dinner attended by about a dozen Fortune 100 CIOs. I had been invited to share my perspective on why corporations continue to be compromised in spite of millions of dollars being spent on enterprise IT security solutions, and offer my recommendations on some alternative protective strategies. I was delighted at how eager the attending executives were to discuss their frustrations and share their experiences in trying to protect vast networks spanning, in some cases, over 100 countries. One of the takeaways for me was the almost visceral anger that some executives felt for "Big InfoSec". Big InfoSec is starting to emulate "Big Pharma"; those giant drug companies who have no interest in curing an illness because the money is in treating symptoms, not in finding a cure. The parallels to large anti-virus companies were obvious to everyone.

But it goes far beyond growing disillusionment with Anti-Virus, IDS, IPS, behavioral analysis and other off-the-shelf solutions. There's a growing lack of trust inside the C-suite in the ability of automated solutions to protect key corporate assets. An even more extreme situation exists in India where there's NO trust in private industry by the government. One Indian national security advisor explained it to me this way: "How do we trust a company whose motive is profit to act in the best interest of our country?" And he has a point. There are very few U.S. multi-national companies who calculate national security interest when weighing their investments in foreign states that are potential adversaries to the U.S. unless such an action would also result in higher profits for the company's shareholders. Likewise, how does a CIO know that the sales engineer for XYZ security company is presenting the best solution for the CIO's company or simply a solution that's best for XYZ's bottom line?

The coming backlash against Information Security vendors is just beginning to brew. It's taking place in private conversations among senior executives at events where Chatham House rules are invoked or after NDAs are in place. I don't believe that it'll emerge from under the surface into a full-blown tsunami until 2012 but by then it'll be too late to do anything but scramble for cover and hope that there's something left of your over-valued InfoSec company to salvage afterwards.

UPDATE (07 Mar 2011): Robert Vamosi wrote an excellent article which underscores the point that I tried to make: "Why Cybersecurity Should Focus On Failure".