Wednesday, September 06, 2006

On Top 11 Reasons [Some Think] Security Products Don't [Always] Work...

OK, OK, I know that everybody and their dog have already blogged on this one, but so what? It is still a fun and controversial thing to comment about ...

So, first DarkReading posted their "Top 10 Reasons Security Products Don't Work" and the enlightened Mike Rothman added his "The 11th (and most important) reason security products don't work."

For starters, here is the combined list:

"1. Too many false alarms
2. Products are riddled with holes
3. No protection against zero-day attacks
4. Products don't work well together
5. Security tools are too complex
6. Users don't understand the product's capabilities
7. Users fail to install/deploy the product correctly
8. Users do too much product "tuning"
9. Users fail to update the product
10. The Blame Game"
"11. The REAL reason most security products don't work is because both vendors that sell them and the users that buy them FAIL TO MANAGE EXPECTATIONS."

Well, what can I say what was not already said by others? There is more truth in this puppy than many care to admit ...

1 comment:

Anonymous said...

One more: the organization's policies don't support what the product is intended to enforce! In other words, they buy a product to secure what they don't really WANT to commit to securing. They buy a firewall and then turn it into Emmenthaler because they won't say no to all the connectivity requests, reasonable or not. They buy an automated patch management tool and then can't run it because they don't have standardized systems and can't deploy patches without begging permission from several different fiefdoms. They buy a compliance monitoring product and then chicken out of using it because it feels too much like spying on their senior management. And so on.

Dr Anton Chuvakin