Tall Tales Vacuum Salesmen Tell

When my wife and I first moved into a new neighborhood a number of years ago, there was a salesperson from a particularly high-end vacuum company that went door-to-door selling their units for these new houses. (I guess they assumed everyone who moved in must have been rich, because buying a $1,500 vacuum isn’t something most of us care for.) Anyway, it was one of those sales tactics I remembered again in a recent meeting with a vendor making a pitch for their products.

 

The ruse with the vacuum salesperson went something like this:

 

Salesperson: “Do you mind if I show you how much your current vacuum misses?”

 

Me: “Sure, go ahead”

 

Salesperson: “OK, so I’m going to pour some dirt on this piece of carpet I carry around with me, just so I don’t ruin your carpet. Then I’m going to ask you to vacuum it with your vacuum. After you’re done I’ll use my vacuum to show you all the things your current unit is missing. I think you’ll be quite impressed.”

 

Me: “I can’t wait.”

 

The salesperson then pulls out piece of carpet, pours some potting soil on it, rubs it in, and dumps some very fine ‘pepper- type’ material down too. I then proceed to use my favorite vacuum and pick up as much of the dirt as I’m able to. The carpet looks clean, there isn’t any dirt visible. The sales person then takes out his equipment and proceeds to vacuum up a bunch more dirt.

 

Salesperson: “See how much your vacuum is missing! You need this great new unit, buy one now!”

 

I don’t need to tell you how the rest of that sales call went, but suffice to say, I don’t have one of those fancy vacuums that was insanely expensive.

 

Oddly, this story reminds me of what I just went through, and I’m sure many of you out there go through. It’s a common tactic, but in the security world it goes like this:

 

  • Security vendor shows up to talk about their latest ‘widget’ or box that is the end-all in whatever type of filtering and attack detection
  • Vendor asks if they can plug their widget/box in behind your existing widget/box to show you all the things you’re missing
  • After the exercise you’re going to want to buy their box and throw away what you have now, because it’s clearly inadequate

Wait! Before you do all that, ask the vendor to flip the order. Put their shiny new widget/box in front and see how much your existing thing still finds. No one ever does that … I asked myself why.  The answer is likely quite simple — that shiny new thing would likely be just as porous, but on different points or it would catch/miss different attacks. This is one of the reasons we in security like defense in depth, right?

 

It was surreal watching a vendor use this strategy to talk about the inadequacy of someone else’s technology, when that same competitor does the same to them, with the same relative level of success. The only ones who get lost in any of this are the buyers. While the vendors continue to bank on the customer having just enough knowledge to not figure out the trick, customers need to educate themselves better and make smarter technology evaluation decisions. Moreover, customers need to understand what their actual needs and Critical-To-Quality points (CTQs — things that are true requirements) are. Any time you fall for this “We detect x% more than the other guy”  play, you demonstrate your inability to make smart choices and adequately understand the security market.

 

Don’t fall for this. Make a list of requirements ahead of time. Know what you’re looking for, and never let the vendors run the evaluations without letting you design the situation. It’s like, in the software security tools realm, as a vendor I remember being accused of only testing tools against a platform we wrote and knew we would score well on. When the customer lacks a way of testing tools impartially, the vendors with the shiniest box and the slickest sales talk always wins.

 

P.T. Barnum once quipped, “There’s a sucker born every minute.” Don’t be that sucker.

Comments
Mike Fornal(anon) | ‎05-14-2013 02:50 PM

Raf,

This why like to have a vendor check list. My checklist has my requirments to address my security policies and other requirements that way I can evenly compare my shiny blinky box to theirs.

 

 

Thanks,

Mike

@fornalm

TestWithUs(anon) | ‎05-22-2013 05:16 AM
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation