Machismo sells trucks and beer, but in IT marketing, FUD sells security products. If you can scare a CISO into thinking he or she needs your product, you’re halfway to a sale. So how does an InfoSec professional cut through the hype to know what really works? A new tool by NSS Labs, a leading information security research and advisory company, may help.
According to an article in The New York Times, NSS Labs will launch an unprecedented service to benchmark security vendors. NSS has reported service benchmarking in the past, but in those evaluations the vendors themselves performed security tests—resulting in perceived biases in vendor claims. The Times says:
NSS Labs pulls in real threats it collects in “honey pots” — alluring traps they set up on the Internet that allow researchers to study intruders’ tactics while attackers break into what they believe is a real system. The company then tests those threats against security defenses from some of the biggest names in the business, including Cisco, Hewlett-Packard, McAfee and Symantec. The offering is sure to put security vendors on notice. The end goal, said Vikram Phatak, chief executive of NSS Labs, is to offer real-time information to chief security officers in much the same way that Bloomberg terminals offer real-time financial information to analysts. The new offering from NSS Labs allows security officers to test products in real time through a service that does not sell security products.
Security vendors are understandably nervous, but this type of disinterested assessment is long overdue in our industry. With increasingly dire threats on one hand, and increasingly deafening marketing pitches on the other, CISOs need a reliable third party to help make informed and unprejudiced decisions when it comes to security products for the enterprise.