Monday, February 18, 2013

Virtually Absolute. Or not.

It is almost time for the RSA Conference, where those in attendance (and via the media, those not in attendance) will be bombarded with hype and hyperbole, on topics old, less old, contrary to popular belief, even new. 

The part of RSA which frustrates and demoralizes most attendees is the expo floor.  Some people avoid it entirely, which I can appreciate- but for those of us in the industry, we have to be on the floor, working for our companies, and checking out the state of the industry.  Others see it as a way to check out products and services, and talk directly to the vendors.  Whatever brings you to the expo floor, remember that it is a sales and lead generation event (which explains, poorly, the “booth babes”, fast cars, and other nonsense).

When talking to vendors, my standard advice applies: watch out for absolutes.  If anyone is claiming to have “the answer” to an InfoSec challenge, run away.  If someone claims to have “an answer”, you may want to listen if it interests you (but always keep the BS shields up, and keep an eye on the exit path). 

If you find someone who offers something shrouded in what are often derisively called “weasel words”, pay close attention.  These tend to fall into two categories:

Those overstating their product’s or service’s performance, who use weasel words to provide an escape clause for their “exaggerations”


those who know the world is complex and who are unwilling to promise the impossible, but believe in what they do.

In the former case, those not-quite-absolute words are indeed weasel words; in the latter, they are honesty.  Sadly, the former far outweighs the latter.  It may not be a compelling statement, but if someone tells you “I think we may be able to help you solve part of your challenge”, pay attention.  Maybe they’re offering crap, but more likely they are being brutally honest about the challenges of InfoSec, and have probably been in the trenches themselves and didn’t appreciate vendor tall tales.

Note: this advice primarily applies to face-to-face conversations.  Banners and marketing materials have to grab your attention; admit it, you aren’t going to respond if they don’t grab you.

And yes, as implied above, I’ll be at RSA, Tuesday-Thursday, mostly in the Tenable booth (it seems like the least I can do for them, considering the regular paychecks they send me).  I’ll also be around BSides San Francisco on Sunday and Monday.  Stop by and say hello, I’m pretty easy to spot.