EGeezer
Summertime -
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
|  Selling through FUD and severity ratings
We've all seen it - the security alert that's rated critical by one vendor, medium or low by another.
This is a pretty good article from a solution provider's perspective on how the industry spins security alerts to sell or justify product. However, the problem also faces sysadmins and IT managers. The issue raised is that spinning and inflating(or deflating) risk ratings make prioritising difficult for system administrators, and difficult for solution providers and consultants to make recommendations to their customers.
Another point - for the home or SOHO folks with out-of-the-box apps in simple networks, patching is straight forward. However, those with customised multivendor applications and complex or critical networks need to be able to assign priorities for their QA teams. The marketing hype makes the tasks more difficult and expensive to maintain systems.
Symantec is mentioned prominently in the article, but a read shows they are only one of many who do this disservice to the IT community.
said by article :
Solution providers say that some vendors are using the alerts to promote their own self-serving interests, unfairly tarring rivals with higher vulnerability ratings and refusing to publicly air their own dirty laundry. They say what's needed is a "no spin zone."
But even without the spin, the vendors putting out the alerts often come up with widely differing scores on a particular vulnerability. This lack of consensus requires solution providers to spend valuable time calming their customers' fears and defending their vendor partners' products. Many solution providers told CRN they're often stuck in the middle between their vendor partners and customers after an alert is issued, which is putting their traditional role of trusted advisor to the test.
--
This space for rent |
