Grasshopper! FUD sells products, but calmness equals REAL security

Way back in February (man, is it April already?), I went to the RSA show in San Francisco. And I went as press, which has since garnered me many emails from vendors about new releases of their products, how they are solving the world's security ills by their latest gadget. And more often than not, I do a cursory glance at these emails, then I delete and go about what I was doing before. But as I was deleting my latest batch of these emails, it struck me just how much people feed off of security problems to make a buck, and they are often not making anything better in the long run.

Here's a quote from one of the emails I received:

...with the announcement from TJX on Friday, at least 57 million people are faced with the undeniable reality of identity theft after hackers stole their credit/debit card information through TJX’s unsecured payment system. Could you be one of the victims?

I cannot mention the vendor that sent this out, but in case any of you received this same email, I want to say that I am not picking on this vendor. In fact, this vendor has done some good things for security. This just happened to stand out and fit my purposes. Also, I have no problem with making money, and if your product really fits the bill by offering a real solution, then great. But it really bothers me that this type of email goes out and spreads FUD everywhere, then says they have the very thing that can fix the problem, like a piece of hardware is going to to the trick.

I would like to take a quote from a comment on my SSL offloading post (which shows how gracious I am because the commenter was beating me over the head when he wrote this):

Security is a mindset, a commitment, a way of doing business. It's not a feature, it's not a product.

This is a great comment. And it completely fits the point I am trying to make. Security is not going to be fixed by a single product. You have to look at security as the overarching principle on how you work, live, etc. You take that 10,000-foot-view, figure out what needs to be where, and plug those holes as best fits your security strategy.

And that is not always easy to do with vendors shooting out emails that scare your customers and your management. You have to take a step back, breathe, and then you have to convince your customers and management to do the same. Then you can look at the situation rationally, and you will make better decisions.