Once Again, I’m not a Bank!

Posted July 19th, 2007 by

It seems like every product or service that somebody is trying to sell me has the words “bank” or “financial institution” attached to it. The cynic in me would say that either the SOX cash cow is drying up and the vendors are trying to glom onto FISMA, or the only past performance that these small-fry vendors have is with a bank that bought their solution once.

Part of me also wants to know if banks will buy whatever junk I throw at them. =)

So is the secret to selling a product to the government a cleverly crafted Unix shell command like the following:

cat marketing.literature.sox.txt \

| sed ‘s/SOX/FISMA/’ \

| sed ‘s/bank/government agency/’ \

> marketing.literature.fisma.txt

You would think so based on the spam I get nowadays. It’s so obviously retreaded that I keep wondering “Do you guys even believe your own literature and hyperbole about what you’re trying to sell?” I don’t expect sales people to be the experts at my business, but how can you offer me a solution to my problems if you don’t understand the gist of what my problems are? If you don’t know that bank security is primarily modeled on integrity and that government security is primarily modeled on confidentiality, then we don’t really have a common language.

My vendor spam for today is below. “Compliance as a Service” makes my head explode. I think somehow I should be building a list of security spammers as a “Wall of Shame” to help out the people who would actually buy from these vendors. If anything, I’ll know who not to buy from–the list is getting large enough so that I need to write it down to keep track of.


Dear Rybolov,

The need for automated Security Review processes had already made developments in risk tracking one of the areas of greatest interest (and concern) to CIOs, CSOs, and Security Managers worldwide. Now, with the news of Google’s acquisition of Postini, many enterprise organizations are looking even more closely at risk management and compliance as a service.

Many companies lack a repeatable, automated security risk assessment process, and <redacted> would like to offer you a case study that provides an overview of how a leading global financial service provider was able to take advantage of compliance as a service to address risk management and compliance issues while improving business performance.

The specialists at <redacted> are pleased to offer you this case study in an effort to reduce the background noise surrounding this issue and help you focus on the aspects of the process that matter most.

To download this case study at no cost and with no obligation, simply visit: <redacted>

Similar Posts:

Posted in FISMA, Rants, What Doesn't Work | 6 Comments »

6 Responses

  1.  Saso Says:


    Your scripting skills are worse than mine. šŸ˜‰

    sed -e “s/SOX/FISMA/g” -e “s/bank/government agency/g” marketing.literature.sox.txt > marketing.literature.fisma.txt

    There. One-liner. That’ll be $40, thank you.

    To answer your question: No.

    Banks are usually tough customers and don’t take compliance spiel at all. After all, telling (most) banks and financial institutions how to do their compliance is akin to teaching a fish how to swim.

    I share your disgust at people that mix compliance and risk management.

  2.  rybolov Says:

    Heh. I know they’re hard to fool.

    That’s why I wonder about all these products that started life as SOX toys and are now rebranded for government. In some ways, the idea is *almost* insulting to our collective intelligence.

    However, it’s enough of a trend to merit some thought on why it happens.

  3.  Saso Says:

    The SOX and related tools were pitched to financial institutions and failed miserably. Banks listen carefully, then do what you pitched to them in their own terms.

    So vendors figured they can sell their wares to other industries. I guess now that most of the non-financial industries got sick and tired of constant SOX and compliance barrage, vendors decided to saturate the government market.

    After all, everyone knows that government buys everything pitched to them, right? šŸ˜‰

    Besides, e-mail is cheap.

  4.  rybolov Says:

    I wish the government would buy everything I pitched to them, I would own a very fast, very black, very convertible sportscar. =)

  5.  Mark Says:

    Compliance as a service. A double whammy marketing attack. SaaS and Compliance.

  6.  Database Activity Monitoring for the Government | The Guerilla CISO Says:

    […] DAM Customer Base:Ā  It’s the “Look, I’m not a friggin’ bank” problem again.Ā  DAM vendors don’t actively pursue/understand Government […]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: