Today our invited post is from David Etue, a vendor speaking about FUD in information security marketing. Yes, he has skin in the game and yes, he knows it. But his larger point is that when marketers point FUD at vendors in other markets, intellectual honesty and customer information is the victim.

By David Etue (Twitter: @djetue)

Disclosure: I am a marketing guy - a VP of Products and Markets at Fidelis Security Systems, a network security company addressing problems from cyber defense to DLP. That's my conflict, and now it's disclosed.

Sadly, FUD continues to evolve, and not in a positive way. As Anton Chuvakin has pointed out, FUD's role in security today probably overshadows the role of any other factor we know. However vendor's use of FUD is continually evolving, and has now reached what I determine to be its Third Wave: Fear, Uncertainty and Doubt against other solution categories. In order to understand the third wave, we'll first look back at what I consider the first and second wave.

The First Wave
The "first wave" of FUD is when vendors use fear, uncertainty and doubt to convince (well, scare) an organization to buying their security product. Rather than learning a customer's organization and explaining how the technology, along with people and process, benefits the customer's risk management program, this FUD involved targeted messages to the end user on how they will be hacked, fail an audit, lose their job, etc. if they don't purchase this product.

This first wave of FUD is still omnipresent today, but many consider it misdemeanor-level FUD as it's also the easiest to detect by the end user - it often overlaps with "silver bullet FUD" stating how the product solves both all information security problems, and maybe even world hunger too.

The Second Wave
The "second wave" of FUD targets competitors in the same sub-sector of a given industry; this is FUD-marketing attacking the competition to win the customer bake-off. Again, rather than competing the noble way and articulating how product differentiators affect customers cost of ownership and benefits their risk management program to gain selection, many resort to competitive FUD. There are few different types of second wave FUD:

• Bogus Requirements: This FUD consists of establishing criteria that have NO or LOW material mapping to how the organization would use the product and there for no benefit, yet will eliminate competitive solutions. My personal favorite examples are when organizations require esoteric templates, often compliance related, in the product with NO relevancy to their organization because one vendor has them and convinced them to include it in the specification.
• Bogus Features: I have a product management background so I often refer to these as "test cases", versus "use cases." These are typically extraneous, but can sometimes be intentionally malicious. The extraneous cases consist of creating an event that would never happen in the real world, modifying your product to cover it, and then convincing the end user it matters. A few years ago, I came across a great example of a more malicious example from a data leakage prevention (DLP) vendor, where they had modified their product (whether intentionally or unintentionally) to alert on a Social Security Number ending in "0000", which is not a valid SSN. The vendor then proceeded to provide the end user with a test file of SSN's ending in four zeros, and then claimed to be the only vendor to detect the file "correctly!"

The Third Wave
Unfortunately, we've gone past these to the "third wave" of FUD, where FUD is used to compete for a customer's mind-share versus other solution categories. Rather than using FUD as a compelling event (FUD wave one), or competitive FUD to gain selection (FUD wave two), vendors are now FUDing for mind share before projects even start! A great example of this is Gunter Ollmann of Damballa's blog post, Botnet Prevention with DLP Technologies.

I am pretty familiar with the DLP space, and I'm not aware of many cases of vendors using botnets, or even botnet FUD, as a primary selling point of a DLP solution. However, Gunter goes out of his way to try to make a point that he can't "see a reason for [DLP] existing as a separate security technology anyway."

As an aside, I'd recommend that Gunter choose his FUD more carefully in the future. Much of his "DLP doesn't do botnet" FUD could also be used to argue why a separate botnet appliance (like Damballa) shouldn't exist as a "separate security technology", as he makes a compelling argument that IPS, anti-spam and perimeter Web gateway help stop nodes from being infected over the network; anti-virus best deals with determining "malicious intent of the binary files"; and IP/Domain/URL blocking technologies are effective at blocking command and control.

Why is Gunter focusing Botnet FUD at DLP?
While botnets certainly may play a role in data exfiltration, Damballa's mission of protecting "businesses from bot-driven targeted attacks used for organized, online crime" and DLP's focus on content-aware data security are fairly different. I think the reason is that DLP is currently a funded market category with name-funded projects in the large enterprises that Damballa is interested in selling too.

These same enterprises don't have a named, "botnet detection" project or budget, so the battle for dollars and mind share has begun. He is not alone in this FUD, as many other vendors have joined this third wave of FUD with DLP alone. For example, Lancope announced their DLP solution that is soooooo good that it "not dependent upon packet-level data" (thanks to Rich Mogull of Securosis for calling out this FUD in his blog post Hit the Snooze on Lancope's Data Loss Alarms). There are many more examples across the security landscape.

So, how did we get to this third wave? I have a few ideas.

First, the security buyer is suffering from information overload. If we look across the security product landscape, Gartner has a taxonomy that defines 159 discrete security topics ranging from infrastructure protection to identity & access management to compliance, risk & governance. This overwhelming list of "solutions" is way too many categories for an end user to possibly navigate, let alone have in depth knowledge of how they would benefit their organization's risk management program.

Second, there is very little spending on new security projects, or new IT projects in general. According to the quarterly Citi CIO Survey for the fourth quarter of 2009 (by Richard Gardner and Aswin Shirviakar), the 80:20 rule applies to existing projects and maintenance versus new IT spending: "about 80% of IT spending over the next year is expected to be maintenance." This report also states that "security spending intentions remain high yet just stable." What does this mean? Any of the products within the Gartner 159 security categories which is not yet deployed is fighting for 20% of IT security spending, and the overall pie from which the 20% is derived isn't growing.

Finally, compliance spending continues to drive the majority of the spending in security dollars. The same Citi CIO survey cited before noted that government regulations were a significant driver of spending. As compliance regulations have become more prescriptive, this compliance-spending has become very focused on a small number of traditional (some may call legacy) security controls.

This report also states that "security spending intentions remain high yet just stable," so more and more solutions are fighting for budgets that are flat. Finally, compliance spending continues to drive the majority of the spending in security dollars. The Citi CIO survey also noted that government regulations were a significant driver of spending.

The Payment Card Industry Data Security Standard (PCI DSS) is a great example of this, as, as Josh Corman points out, it only explicitly requires nine security technologies (firewall; IDS; anti-virus; log management; encryption; vulnerability scanning; web application firewalls or application reviews; integrity monitoring; and patch management.) This leaves 150 of 159 Gartner sub-sectors of security - many with technologies solving significant challenges important to enterprises today - not required by compliance.

So, we have a confused buyer not able to keep up with the number of security product categories available, let alone the products within them. They may have little motivation to learn as budget pressures allow for few new projects, especially when 80% of the budget is spent on existing projects and maintenance. Top that off with compliance driving spending to a small number of legacy controls.

This leaves the remaining vendors thinking "If they have one discretionary project left, it MUST come to my project," and makes them incredibly focused on driving the small fraction of remaining budget to their solution. This is no excuse for the use of FUD, but is a sobering view of the state of the information security industry today.

Conclusion
Information security has reached a desperate time and some say desperate times call for desperate measures. However, these desperate measures should be to the benefit of the end user, not any single vendor. I would suggest that the presence of third order FUD is an indicator of the desperation of a solution to find its way in a crowded marketplace. This is a commentary on both the marketplace and the vendors who seek to use it. In a time when we all want to drive FUD down, adding a third wave should not be acceptable.

In the interest of continued disclosure, I remind you, I am a vendor. But am I wrong?

Which examples of third-wave FUD do you have?