> I guess my real intent was to rebute Michal's statement that the blame > should fall, partially at least, on the vendors. Vendors build what > they can sell.
I don't blame vendors for selling products that the market needs... but it's also difficult to deny the existence of a fairly strong feedback loop: vendors often take part in creating new markets (through PR activities and exec-targeted advertising), or have a say in defining compliance frameworks that put an emphasis on commercial and easily measurable efforts. This, in turn, affects the shape of future IT departments and their needs. Given that skilled security practitioners are in short supply and are difficult to tell from so-so ones (existing certifications don't help that much), I actually think that vendors have a more dominant role in this process than any other coherent group could. Now, of course, pinning the blame is not a particularly productive pursuit. But in the end, partly because of such feedback loops, many large organizations lack the technical expertise to understand what determined attackers may attempt, and how to mitigate the threat. That's not a new problem, it's just one that the industry ignored in hopes it goes away; in this context, I'm not sure that the whole APT / cyberwar meme will do more good than harm. /mz _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
