Security, Lies and Sales

"Intelligence plus character - That is the goal of a true education" - Martin Luther King Jr.

ContentConnect@Flickr

ContentConnect@Flickr

Last week I read an article from one vendor describing how to "bypass" another vendor's security.  It wasn't the fact that the article was completely incorrect and misleading that sat me back, it was the intent.  I've had the pleasure of being intimately familiar with both sides of the security coin, practitioner and sales.  I have seen the incredible value that some vendors have brought to the landscape and, unfortunately, the harm that others have done as well.  Advancing our industry and maintaining the credibility of our roles are hard enough without being undermined and mislead by unscrupulous vendors.

As a security practitioner we've all seen our share of questionable sales individuals and tactics.  It's an unfortunate part of life that we must question the ethics and morals of the person on the other side of the table.  However, it's even more traumatic when our very mission and nature requires us to be farther above the "moral line" than others.  When your vendor, consultant, partner, etc even hints of something that is in violation of that we must instantly give pause and question if we want to continue.

Things I look out for:

  • Discussions that directly or indirectly say who their other customers are.  This is not talking about reference customers but all others.  Are they talking about you to other organizations, etc?
  • Discussions about their competitors failings.  it's way beyond how they compete feature to feature, service, etc.  It's the negative talk about their failings, etc.  This is especially true when a vendor is compromised.  We've all been there and I wouldn't wish it on anyone.  It's in poor taste to use other's challenges to life yourself up.
  • The magical product that cures all of your ills.  This is probably the most common issue i've seen.  No matter what your need is their product will fix it for you.  SOX? PCI? APT? SDLC? Culture?  Don't worry... we've got an app for that.
  • Discussion about their products capabilities well above reality.  I understand marketing but when their capabilities are flat out false it forces me to question all statements.
  • False statements about competitor's features that are false.  It's one thing to do a feature comparison with a competitor.  It's another when you state they don't have that feature or capability to only better yourself.  It's even worse when you post those manipulative comparisons.
  • Engagements beyond the normal.  Having a dinner or expo pass being to you is one thing.  Trips and other more lavish gifts is another.  It's even more questionable when you are being courted vs. an active customer.
  • The highly inflated cost model.  This isn't as much a sales person as it's really the company itself.  When you are selling a server security product that costs more than the operating system itself, that might be a problem.  When the price miraculously gets cut by 50% or more at the end of the quarter, that might be a flag.  I understand profit but gouging is not good as a customer.