Dunking on cyber security vendors might predate the Ice Age, but is it completely deserved? At a time when we urgently need more people to get into the field, I believe we should do more to celebrate the purpose and mission of a vendor-side career.
There again, as someone who works for a vendor, can you really trust anything I have to say?
Vendor Scepticism vs Vendor Cynicism
Vendors do, of course, get plenty of things wrong. There will always be a distasteful sales email going around. The security industry is also prone to peddling fear, uncertainty, and doubt (FUD), as well as overpromising on the potential of the latest technological buzzword.
However, I don't believe this sort of behaviour is the norm in the way it is sometimes made out to be (especially on social media). Cyber security customers are far more educated than they used to be. This means dubious vendor solutions get found out far more quickly than in the past. A looming recession will only exemplify this further: increased pressure on security budgets will lead to tougher questions and clearer justification required before turning to vendor solutions.
A healthy dose of vendor scepticism will always have a place as an important check and balance on the industry. Security functions should absolutely challenge vendors to make sure their solutions will work properly and fit in with use cases.
The problem is when vendor scepticism slips into unhelpful cynicism.
Vendor cynicism assumes incompetence and malign intent by default. Yet, it increasingly feels hackneyed – a stale and repetitive joke uninterested in nuance. Blindly assuming the private sector has greedy intent and will prioritise profit above all else is simply out of tune with reality. That is because many security companies make massive contributions to our space and have strong mission cultures.
Celebrating Security Vendors
Vendors play a vital role in cyber security and this should be celebrated. Security companies are at the forefront of most of the industry's challenges. Whether it be a sneaky supply chain compromise, ransomware on the loose during a pandemic, or an elevated Russian threat amid an invasion, security vendors continue to play a key role in delivering critical protection measures and remediation to those in need.
Vendors have also played a big role in the ongoing Ukraine crisis – both behind the scenes and through informing the wider security community. These contributions might pale in comparison to the heroics of Ukrainian citizens right now, yet vendors are absolutely contributing to a meaningful cause.
It has been interesting to see how government advisories are increasingly complemented by industry analysis. For example, a CISA INCONTROLLER advisory was accompanied by in-depth Mandiant and Dragos analysis. Likewise, INDUSTROYER2 reporting was a combination of CERT UA and ESET research. These are fantastic partnerships drawing on a variety of perspectives.
Security companies also bring desperately needed innovation. The cyber security skill shortage means automation and scalable solutions will become increasingly necessary in the coming years. Security vendors are highly incentivised to solve this problem, reflected by the vast resources being invested into relevant research and development.
Compared to internal security functions, vendors also possess deeper pockets of expertise that make unique contributions. For example, most internal CTI functions are relatively small and lack the resources to track and attribute multiple threat clusters in the same way that a large CTI vendor can. By serving multiple clients, vendors have the scale to examine security issues in significant detail that is rare to find elsewhere in the security community.
Why It Matters
Perhaps you think I am just concocting my own vendor Kool-Aid. However, there are wider and far more important issues at play beyond me patting myself on the back.
Ultimately, vendor cynicism has consequences. It shapes how security providers are perceived by the broader security security community. It creates a culture of mistrust that seeps into the broader industry.
Cynicism also influences career path perceptions, especially for new joiners. We should never shy away from discussing the very real challenges that exist in a security career, but there are plenty of positive stories to be told as well.
Many vendors have fantastic mission-driven cultures and values. We should never forget the huge purpose and mission that can accompany a career in industry. For instance, I find the work we do at Mandiant hugely meaningful. I feel proud to be working at a company that is often playing a key role in responding to some of the most complex challenges and breaches.
It is often said that a government career entails a fantastic mission with low pay, while industry provides chunkier salaries but with less meaningful work. I believe this a false dichotomy. There may be some exciting work that is only appropriate for government agencies, yet there is plenty of zest to an industry career as well. We should therefore celebrate what can be a tremendously rewarding vocation and calling. One we should be encouraging people to join.
It might be deeply unfashionable to defend security vendors, yet I believe a more positive rebrand is long overdue.