A stunning 96% of security products up for certification fail to achieve it on their first go, claims a report put out by ICSA Labs, a certification division of Verizon Business. The most common reasons for failure?
The report found the number one reason why a product fails during initial testing is that it doesn’t adequately perform as intended. Across seven product categories core product functionality accounted for 78 percent of initial test failures. For example, an anti-virus product failing to prevent infection and for firewalls or an IPS product not filtering malicious traffic.
The failure of a product to completely and accurately log data was the second most common reason. Incomplete or inaccurate logging of who did what and when accounted for 58 percent of initial failures.
Is it time to head for the hills? Well, maybe not: A security certification authority telling you un-certified products simply don’t work is a little bit like a rabbi telling you bacon isn’t worth the health risks: I’ll take my bacon, thank you very much, and you should probably keep using security products.
I thought Alan Shimel had an interesting take which might strike to the heart of the problem: It’s not that the products don’t work, it’s that they aren’t working the way they’re installed.
Now, you have to take all of this with a grain of salt because of where the report is coming from. Obviously ICSA admittedly has a vested interest in seeing more products get tested and users demanding that products are tested prior to buying. But from my experience with far too many security tools, without some expert implementation getting this stuff to work as intended is worse then putting together one of those do it yourself pieces of furniture that you get from Staples or Office Depot. As an industry we have to do better to making our solutions easier to install, easier to use and easier to see the value.ashimmy.com, The Ashimmy Blog, Nov 2009
So often, implementation and execution are half (or more) of the battle. Larry Walsh over on ChannelInsider worries about a larger threat from the report, however: That proper protection will simply take a backseat as users conclude that security doesn’t work anyways, so why bother.
The problem with this report is that it’s coming at a time when end users are questioning the value of the products they’ve spent millions of dollars on. While even bad security products will provide some level of threat protection, the ICSA findings could give end users some reason for pause when considering new purchases. Many security solution providers are complaining that end users—particularly SMBs—are reticent to invest in new security technologies because they don’t believe they’re at risk or don’t have the budget. The ICSA findings could give them a new reason to doubt the need for security investment.
I imagine those users will be in the minority: There are still too many high-profile data leakage cases, with ever increasing fines, for business owners. What do you think? Have you seen security products fail to operate as promised, or operate at all? Let me know in the comments or at Michael@ITKnowledgeExchange.com.