Security Vendors Offering Guarantees Is Totally Irresponsible

Who has seen a “Zero Malware Guarantee“, or something like it?

More to the point; who saw this and thought what a load of bull$#@?

Anyone who knows even the most basic aspects of information security knows that the ONLY guarantee is that nothing is safe. Ever. To throw out a word like guarantee is nothing except the most despicable attempt to drive business in a field where the experts are SUPPOSED to be trusted!

What is the guarantee?; …to detect and stop 100 percent of malware that propagates over the web and is scanned by the [blah blah] Managed Anti-Malware Service“. Could this ‘guarantee’ be any more pointless? Who wrote this? Lawyers?

What’s worse, here’s what you get if they fail to detect and stop 100% of the malware; “…one-month extension of the service at no cost, up to four times per year.“.

Seriously? It didn’t work, but you get one more month for free? And why would you possibly need to do this FOUR times in a year? Would you seriously still pay for the service after a second failure, let alone a third?!

Doctor to dying patient: “The drugs we gave you aren’t working, but here, have some more on the house.”

Surely if the product is that good, this vendor and vendors like them (there are many) should WARRANTEE their products. “If we screw up we’ll pay for the fix AND give you your money back.” Now THAT’S something I can get behind!

You can guess how often that will happen.

The reason this is so offensive to me is that security is already seen as something to spend money on only because you have to. Like insurance. And this crass commercialisation of yet another security PRODUCT just makes everyone in the information security field look like ambulance chasers. Incompetent ones at that.

Eradication of malware (as in the above example) STARTS with policy and procedures, continues on with parallel efforts in security awareness training and control definition, and is maintained by a security program done well. Just like every other aspect of security. So the only reason security companies keep coming up with these snake oil ads is because people keep buying stuff from them.

Don’t. Do. It.

I can empathise with organisations struggling to understand security and buying what they think is the right thing for their business. What I cannot even begin to condone is any organisation selling something TO those organisations when the seller damned well DOES know better!

You never need guarantees in security, you only need appropriate security. You can start by avoiding any organisation that begins with making empty promises.

[If you liked this article, please share! Want more like it, subscribe!]

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.