Security vendors are "bullshitting" users

The head of information security within one car manufacturing giant has spoken candidly to an audience of press, analysts and IT bosses of his concerns over the claims made by some security vendors and resellers.

Richard Cross, information management officer at Toyota, warned against the misleading double-speak and the promises of universal cure-alls which end up confusing and misleading IT managers who may allow themselves to believe such products exist.

"There is a temptation to go searching for a panacea, but if you find yourself speaking to a vendor and it sounds as though you are being offered a panacea then it's time to change the conversation," Cross told attendees at the Gartner IT Security Summit in London this week.

"Sorry if you are in the market for a panacea or you are a panacea salesman... but there is a lot of bullshitting going on," he added.

Ian Schenkel, MD of end point security solutions firm Sygate, agreed with Cross on the issue of a non-existent panacea, but added that if there are any IT directors who have fallen for this "bullshitting" approach then it is in part because they have not done their homework.

"Some IT directors are looking for the Holy Grail," he said, adding that some have a tendency to only hear what they want to hear. "But they are basically kidding themselves. What IT directors want to hear is that I'm the medicine man here to cure all their ills, but that simply isn't the case. Companies should always be looking at a layered solution, involving multiple vendors. To expect a single solution is unrealistic."

"A responsible vendor should be able to back up any claim they make, but IT directors should also be extensively testing the claims of the manufacturer for themselves," he continued.

"Don't believe what you read on the box - bold claims may get a vendor through the door but no way should they mean a vendor makes more sales."

While Cross's comments are clearly not to be applied to all vendors, or even more than a small minority, many responsible vendors within the industry are aware that a few 'cowboys' can tarnish the reputation of the whole sector, but it's far less of a problem than it used to be, said one vendor.

Simon Perry, VP security strategy at CA, said: "Five years ago it was certainly true that most antivirus vendors were talking things up, but a growing sense of maturity and responsibility in the industry has definitely seen this decline."

Schenkel agreed the 1990s weren't great days for honesty within the industry or the image of the IT vendor, but also added that much of the negative press addresses little more than the kind of marketing which is rife in any competitive industry.

"There is always going to be an element of jostling, with companies claiming theirs is the best product on the market, but that is just the software industry. The bottom line is that companies still have to have to back up their claims," he said.

Perry warned that companies who do over-sell themselves without support for their claims are in danger of not being taken seriously and jeopardising their business. Typically it is smaller companies attempting to punch above their weight and gain recognition in a crowded marketplace who may make bolder claims, he said.

The still-fledgling area of spam prevention is one where bold claims are rife and companies still seem to talk of impossibly high levels of performance.

David Guyatt, CEO at Clearswift, told silicon.com he would back any industry initiative and codes of practice which would effectively expose any company making exaggerated claims.

Cross's comments come in a week when the media was also blamed for confusing the IT security market and 'sexing up' the nature of threats to sell copy.