The Enterprise Vendor Phases of Pain and Comprehension

Dave G. | May 19th, 2006 | Filed Under: Disclosure, Industry Punditry

Ignorance (The Truffle, Foie Gras and Fried Platinum Salad Days)

Vendors can sit here for years. They often boast about their security, even though they have done nothing to assure their products are actually secure. No one has reported vulnerabilities. The other guys look worse.

Inside Management’s Head: “There’s no evidence to support insecurity, therefore we must be INVINCIBLE. And since we are secure, we better let everyone know how secure we are!”

Attention (Why is that dude with the facial tattoos staring at me?)

A natural result of this ignorance is that other people start to notice. Unbreakable, you say? Pundits Pund. Researchers research. The public starts hearing that maybe the vendor aren’t as secure as you think you are. Articles that come out from the press mention security issues as an aside. The last paragraph will have a quote from a security researcher, industry analyst or pundit saying that ‘the sky is falling’. He is perceived by vendor as another crazy person, walking down the street, yelling into his phone that the world is going to end. And it’s a rotary phone.

Inside Management’s Head: “Every company has the occasional security problem! And analyst’s always predict doom and gloom. And what the heck is a security researcher?”

Focus (Why is everyone starting at me?)

Security research starts getting serious. Vulnerabilities start to come out in your products. Researchers start complaining about how bad your software is, and how bad your response to their reports are. Claims of delays, hiding issues, non-responsiveness.

Inside Management’s Head: “We have a serious problem here. Clearly, we need PR/Marketing to make this problem go away.”

Pain (Why am I not wearing pants?)

The bad press starts actually affecting business. Competitor’s start pushing the security button on customers. Customers start pushing the security button on the vendor. It is now officially holding up deals. It is time to fix it.

Inside Management’s Head: Persistent throbbing or pounding pain, with sensitivity to light, sound and movement.

Stay tuned for part 2, where we talk about the trials and tribulations of actually fixing software!