My last posting generated a few comments condemning vendors who exaggerate the capabilities of their security products. The security market is now fairly mature so it’s surprising that vendors are naïve enough to think that slick marketing is the way to boost their sales. Product spin is a complete turn off for security professionals. Encryption products, in particular, require careful marketing, because they are one of the hardest sells of all. And that’s not just because of the aversion of the security community to bad marketing campaigns. It’s also because there are fundamental difficulties in introducing new encryption systems. Here's why.
First there’s the business case. Encryption is usually expensive to buy, disruptive to implement and difficult to manage. And it adds little obvious direct business value. It’s one of those invisible assets that you only notice when it messes up your communications. Business managers and Boards won’t be excited by the prospect of having unbreakable security protection for their information. They’re more interested in the business benefits. And these are more likely to be a leap of faith rather than a certain bet.
Secondly there is the enormous gestation period between conception and market acceptance for a new encryption system. New algorithms have to be peer-reviewed, debated, tested and accepted by the international community before they can be productised. And new products have to be evaluated, certified and in many cases approved by government or regulatory authorities before many customers will even consider them.
Then there is the marketing of the product. If it’s revolutionary and offers competitive edge, then it probably won’t be suitable for communicating with the rest of the business world. If it simply meets the latest standard, then it will lack a unique selling point. If it’s claimed to be foolproof, nobody will believe it. If it makes false claims it will be discredited. And if it’s questioned by a leading guru, it’s dead in the water.
Finally there is the long sales cycle, as customers consider the numerous implications of rolling out a new encryption system. Will it satisfy the standards of the service manager? Does it require a refresh of the desktop? Will legacy applications or hardware (e.g. ATMs) need to be adapted? Does an engineer have to visit each user site? These requirements might take months, if not years to implement. And in the meantime, the venture capitalists that originally backed the product will be developing ulcers and considering pulling the plug on their investment with little prospect of an early sale to prove the concept.
Comments (2)
I tend to agree with this to a great extent. However you do fail to mention that there are exceptions to the notion that it's difficult or disruptive to implement. Believe it or not, there are some platforms out there that are not that difficult to implement and that doesn't disrupt the workflow.
Without naming any certain companies, there are solution out there that promises a lot but actually do deliver.
Of course, there are an equal amount of them who deliver substantially less than what they promise.
Then again, I'm pretty sure that implementing something like Vista is less likely than implementing something that will actually help organizations instead of stifle them ;)
Posted by Patrik Fredriksson | November 2, 2007 8:16 AM
Posted on November 2, 2007 08:16
As a financial organisation we have seen an increase in the need for secure communication with our business partners and end customers. For many years with have been investing in external threat protection. This has now changed to protecting against data leakage and securing our business communication. The problem with email encryption is the administration overhead of working with inherently old PKI systems that use keys and certificates, which is a flawed system when it comes to archiving or disaster recovery of encrypted emails. Fortunately we came across and Email Encryption Service called VSN Encrpyt http://vsn.visus-it.com which leverages IBE technology which uses a users email address as a Public Key. This completely took away the administration overhead of Email Encryption and allows our users to encrypt their communications with a just one click! Simple.
Posted by Glyn Morgan | November 27, 2007 12:26 PM
Posted on November 27, 2007 12:26