Let’s Face it, Half the Security Industry is a Pyramid Scheme

Posted May 14th, 2008 by

Rmogull of Securosis and Gunnar Peterson claim that GRC is dead.  In my typical global-brained style, I want to cut to the root cause of why GRC is stillborn.

As a group, we need to come to the concensus that half of the security industry is a bunch of spam-sending FUD-mongering dotcom dropouts with MBAs who see the “perfect storm” of money and opportunity that an uncertain-but-necessary niche market brings.  Furthermore, I say we distance ourselves from them because they make the rest of us look bad.

Parking Meter Fail

Failed parking meter by cgansen. 

These are the same people who pitched technical policy compliance solutions for SOX which became continuous compliance which begat risk management which begat GRC.  Do we really need all this cr*p?

Look at the warning signs of this half of the industry, these were so true for the dotcom era:

  • New companies qnd products you’ve never heard of
  • Staff nobody’s ever heard of
  • “Trendy” product class that everybody wants to do this year
  • Claim to have product purchased by a “Major Financial Institution”
  • Is a rebranding of a previously-failing product
  • Company was not security-focused last year
  • Company and product life-span of ~2 years
  • No alignment with other vendors or industry leaders
  • Technology is “hoaky”–SIEM solutions using MS Access as the back-end
  • Feels “gimmicky”

If you see any of these in a perspective vendor, run away now!  And if you do buy, don’t say I didn’t warn you.

Now, in a past life, SSG Rybolov would say something witty like how people who are used to preventing and detecting fraud should be able to come up with a model to keep people from invading the industry looking for the filthy lucre.  In fact, I think I just might have.  =)

The other half of you all, the non-snake-oil-selling half, is great, keep up the good work and never, ever go to the dark side.

Similar Posts:

Posted in Rants | 7 Comments »

7 Responses

  1.  Marcin Says:

    I can’t stand hearing about GRC. I think it’s the biggest bullshit around. Ugh, compliance people kill me.

  2.  rybolov Says:

    I don’t get compliance much myself–it only works with limited scope and purpose and is not something that scales to enterprise-wide.

    There is a place for something along the lines of GRC, but it’s not really a full product, more of like a traceability matrix to know which rules apply to you.

    Hey, there might even be one vendor that survives the inevitable fallout.

  3.  Anton Chuvakin Says:

    >Technology is “hoaky”–SIEM
    >solutions using MS Access
    >as the back-end

    CA SCC used to do that a few year ago. Who is it this time?

  4.  rybolov Says:

    Hi Anton.

    It was a couple of years ago, but they were this one-off solution that nobody had heard of but we were talking to all the SIEM venders and giving them a cookoff.

    There was the typical list of the big 4 who do this sort of thing and then there is the also-rans, the people with the Access backend were one of the latter.

  5.  Darren Couch Says:

    Well, maybe a sweep and clear mentality could be adopted to purge the strip malls of their kind, in the style of the Crimson Permanent Assurance… =)

  6.  Vlad the Impaler Says:

    Sorry for touching the old nerve…


  7.  Mini-Me Says:

    Automated compliance tools!!!

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: