Connect with us


An IT security salesman told me his software doesn’t work



Someone, somewhere can always get in.


I just wanted a day off.

So I wandered to a public golf course for some sunshine and the hope of just one decent tee-shot.

When you wander out to play golf on your own, you never know whom you might meet.

I’ve learned what it feels like to go into a burning building, thanks to a golfing firefighter. I’ve learned what it feels like to fly a covert mission to Iraq from a young golfing Air Force pilot.

This time, the play was slow, and two men caught up with me. One was instantly affable and a good golfer.

He wanted to chat, and he was good at that, too.

Given that this was a weekday, I asked him how often he played.

“Around three times a week,” he replied.

“How can you do that?” I wondered.

“I have a great boss who only cares about me making my quotas.”

“So you’re a salesman? What do you sell?”

“IT security software,” he said.

If there’s one product that most businesses crave these days, it’s this one. Hacks cost businesses millions. Why some cities are even paying hefty ransoms to get their data back.

Many IT and security professionals blame ignorant, careless employees for most of the issues. Some research suggests that millennial employees are the most blasé about the whole thing.

Yet my conversation with this IT security salesman took a strange turn.

We were waiting to tee off, and suddenly he said, entirely unprompted: “You know, our product doesn’t work.”

Ah. Oh.

What do you say to that? Did he want to unburden himself? Perhaps he merely wanted to be disarming just before I (tried to) hit the ball.

His company is, how can I put it, quite well known in its field. So I had to ask: “Wait, you’re selling stuff you know doesn’t work?”

“Most of the hackers are always one step ahead,” he said. “It doesn’t matter what the security software is, they’ll find a way around it.”

“And there’s no way of catching them?”

“Most of them are overseas. If you can even find where they are. Even if you know what country they’re in, their government doesn’t care and won’t do anything about it,” he explained.

“So there’s nothing anyone can do?”

“Not really, no,” he said after he hit a very nice three-iron.

What a strange place we’re in when businesses are fighting mysterious adversaries and apparently don’t have the tools to truly defend themselves.

It doesn’t matter if the company is small or large. It doesn’t seem to matter, even, if the company is supposed to have some sort of software expertise.

It seems as if every new piece of software — and the old pieces, for that matter — has at least one cat-flap through which a hacker can enter.

It was, indeed, disarming to hear this salesman talk about his job with a benign resignation. He wasn’t arrogant, merely matter-of-fact.

I had to ask the obvious question: “Don’t you feel bad about selling something that you know doesn’t work?”

“Our software is pretty good, compared to most of the others, so no, I don’t feel bad. And anyway, I get to play golf three times a week.”

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


The Five Pillars of (Azure) Cloud-based Application Security



This 1-hour webinar from GigaOm brings together experts in Azure cloud application migration and security, featuring GigaOm analyst Jon Collins and special guests from Fortinet, Director of Product Marketing for Public Cloud, Daniel Schrader, and Global Director of Public Cloud Architecture and Engineering, Aidan Walden.

These interesting times have accelerated the drive towards digital transformation, application rationalization, and migration to cloud-based architectures. Enterprise organizations are looking to increase efficiency, but without impacting performance or increasing risk, either from infrastructure resilience or end-user behaviors.

Success requires a combination of best practice and appropriate use of technology, depending on where the organization is on its cloud journey. Elements such as zero-trust access and security-driven networking need to be deployed in parallel with security-first operations, breach prevention and response.

If you are looking to migrate applications to the cloud and want to be sure your approach maximizes delivery whilst minimizing risk, this webinar is for you.

Continue Reading


Data Management and Secure Data Storage for the Enterprise



This free 1-hour webinar from GigaOm Research brings together experts in data management and security, featuring GigaOm Analyst Enrico Signoretti and special guest from RackTop Systems, Jonathan Halstuch. The discussion will focus on data storage and how to protect data against cyberattacks.

Most of the recent news coverage and analysis of cyberattacks focus on hackers getting access and control of critical systems. Yet rarely is it mentioned that the most valuable asset for the organizations under attack is the data contained in these systems.

In this webinar, you will learn about the risks and costs of a poor data security management approach, and how to improve your data storage to prevent and mitigate the consequences of a compromised infrastructure.

Continue Reading


CISO Podcast: Talking Anti-Phishing Solutions



Simon Gibson earlier this year published the report, “GigaOm Radar for Phishing Prevention and Detection,” which assessed more than a dozen security solutions focused on detecting and mitigating email-borne threats and vulnerabilities. As Gibson noted in his report, email remains a prime vector for attack, reflecting the strategic role it plays in corporate communications.

Earlier this week, Gibson’s report was a featured topic of discussions on David Spark’s popular CISO Security Vendor Relationship Podcast. In it, Spark interviewed a pair of chief information security officers—Mike Johnson, CISO for SalesForce, and James Dolph, CISO for Guidewire Software—to get their take on the role of anti-phishing solutions.

“I want to first give GigaOm some credit here for really pointing out the need to decide what to do with detections,” Johnson said when asked for his thoughts about selecting an anti-phishing tool. “I think a lot of companies charge into a solution for anti-phishing without thinking about what they are going to do when the thing triggers.”

As Johnson noted, the needs and vulnerabilities of a large organization aligned on Microsoft 365 are very different from those of a smaller outfit working with GSuite. A malicious Excel macro-laden file, for example, poses a credible threat to a Microsoft shop and therefore argues for a detonation solution to detect and neutralize malicious payloads before they can spread and morph. On the other hand, a smaller company is more exposed to business email compromise (BEC) attacks, since spending authority is often spread among many employees in these businesses.

Gibson’s radar report describes both in-line and out-of-band solutions, but Johnson said cloud-aligned infrastructures argue against traditional in-line schemes.

“If you put an in-line solution in front of [Microsoft] 365 or in front of GSuite, you are likely decreasing your reliability, because you’ve now introduced this single point of failure. Google and Microsoft have this massive amount of reliability that is built in,” Johnson said.

So how should IT decision makers go about selecting an anti-phishing solution? Dolph answered that question with a series of questions of his own:

“Does it nail the basics? Does it fit with the technologies we have in place? And then secondarily, is it reliable, is it tunable, is it manageable?” he asked. “Because it can add a lot overhead, especially if you have a small team if these tools are really disruptive to the email flow.”

Dolph concluded by noting that it’s important for solutions to provide insight that can help organizations target their protections, as well as support both training and awareness around threats. Finally, he urged organizations to consider how they can measure the effectiveness of solutions.

“I may look at other solutions in the future and how do I compare those solutions to the benchmark of what we have in place?”

Listen to the Podcast: CISO Podcast

Continue Reading