Do make note of points 1,3, and 6.
I particularly appreciated the subtext of the wording of #1.
Vendors don't need to be ahead of the threat, just the buyer.
We all know the story of the two campers and the bear, but this is an interesting variation. We've just discussed Mr Carr screaming about how he wasn't told by his security staff that there were more threats.
Yes but ... Its not the security staff that set the budget or make the buying decisions. Look: it says "buyer", not "customer".
How often have you had your security advice over-ridden for anyone of a number of reasons? Its not you doing the BUYING is it.
And why do you think that the saleswomen wear suits and talk in that stupid language using terms like "solution" (oh-ho, watch out, here comes Les...) and "bottom line" and other stuff that has nothing to do with InfoSec.
'Cos it isn't YOU doing the buying.
At best they throw you a bone since you might be an 'influencer' - more salesman-speak. (But 'influencer' is too close to 'influenza' which is why they don't get too close to you...)
Mean while, you're talking to your manager about all these nasty things like threats and the possibility of embarrassment in the press and lawsuits, while that nicely dressed saleslady is talking sweetly about nice things such as profit and success and such like.
Lets face it, the game is semantically rigged against us.
"Oh look http://pics4.city-data.com/cpicc/cfiles34082.jpg hey, that's neat, I didn't know they could do that...."
- InfoSec In The Supply Chain (blogs.forrester.com)
Posted by antonaylward
I am currently available to offer InfoSec & GRC audit and consulting services through my company - System Integrity