Can We Talk?

1:20 PM -- Vendors suck. What the hell's wrong with this thing, anyway? We bought it a month ago, and it still doesn't work. Why can't this stuff just work out of the box?

Users are idiots. They aren't even using a quarter of the product's functionality. Now they're complaining because it doesn't do something it was never designed to do in the first place. Why can't they just read the documentation?

If you've ever uttered one or more of the above sentences, congratulations. You are a bona fide, human member of the IT security industry. And whether you're an IT pro or a security vendor, you're ticked off because security products don't work the way they should.

Unfortunately, you're also part of the problem. Because one of the chief reasons security products don't work is a lack of communication between users and vendors. Check out this week's Top 10 Reasons Security Products Don't Work.

When we stewed up that story, our goal was to talk to users and vendors independently, asking them to give their own perspectives on the faults and problems with current security technology. We felt there was a disconnect between what users were telling us and what vendors were saying. Man, were we right. In some cases, the users and vendors we interviewed didn't even seem to be on the same planet, much less the same page.

It's hard to generalize about security products, because they cover such a wide spectrum, but both users and vendors made some excellent points on both sides of the argument. IT managers, for example, pointed out that today's palette of security products is deeply flawed. Many current offerings are hard to use, and many others contain holes or shortcomings that make them easy to circumvent. Even when products work as they should, they often produce false positives or provide insufficient protection against zero-day attacks.

But vendors made some equally salient points. Many IT departments fail to follow directions or get proper training when they implement new security tools. Many others manage to configure the functionality right out of their products, and many more fail to update their products after they've installed them.

The bottom line for both sides, however, is a lack of communication. IT people often find themselves disappointed in security products because they don't understand what the product was supposed to do in the first place. They don't fully evaluate its capabilities, or they expect it to fix all of their problems out of the box. Often, they're so focused on the one problem they're trying to solve that they fail to realize the potential of the solution. They're so deep in their own holes that they can't see the field, and they're so numb from vendor product pitches that they aren't really listening anymore.

Vendors do a little more listening – they have to if they want to make any sales – but they often don't act on what they hear. They have an idea, and that idea often trumps actual user demand when it comes time to do product development. They might know what users want, but that knowledge often is lost during the actual development and marketing of the product. And of course, many of them are guilty of overhyping and overpromising on their products, raising user expectations and then dashing them against the rocks.

Wouldn't it be nice if users who really knew what they wanted could speak directly to vendor development teams (not salespeople) who could actually do something about it? We think it would be. And we're willing to put our money where our mouth is. If you have an idea for a product, or an enhancement to an existing product, send it to the message board attached to this column. Maybe we can get some of this talk going right now.

Note: Your responses are invited! But please don't send email – post your feedback to the Dark Reading message board.

— Tim Wilson, Site Editor, Dark Reading