When dissing a hacked security vendor exposes your own foolishness

Of course nobody should like it when a trusted security vendor gets hacked, as has happened to Barracuda Networks. But other vendors trying to capitalize on another's misfortune is just plain stupid.

That's exactly what I've seen since news broke that someone had hacked into Barracuda's database: Comments on Twitter, in emails and elsewhere where folks representing other vendors point a finger and balk at the latest security vendor to be exposed -- as if the same could never happen to them.

Customers have every right to hold a vendor's feet to the flame. In fact, they owe it to themselves to do so. I touched on that in a recent post called "When security vendors fail: Three strikes and you're out."

In that post, I suggested that everyone should get a chance to correct the problems that allowed a first breach. If there's a second breach, a second chance is warranted when the company is honest and seeks help from the wider security community. If it happens a third time, then maybe they need to be out of the game.

I still feel that way.

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

But to skin a vendor alive in the twittersphere because imperfections were exposed is something that doesn't necessarily lead to a more secure product.

If anything, it's like a group of misfits in the schoolyard beating up on another kid just because he's even more awkward and ugly than they are. That's a typical human failing: When we're insecure about ourselves, we take comfort in someone else's misfortune. We may be pathetic, but at least we're not as bad as the next guy.

That's how it becomes when a security vendor fails. Other vendors pile on.

To be fair, in the case of Barracuda, other vendors have also expressed sympathy and understanding. One example was a blog post from my friend Alan Shimel, managing partner in The CISO Group. He writes:

It appears that the information made public while embarrassing for a security company to have disclosed was not financially in and of itself valuable. Of course any security breach at a security company could be damaging to their reputation and with that damage to reputation, could come financial loss.

However, lets be clear here. This kind of thing could happen to any of us. In my case it did. It was just three or four years ago that my blog and email accounts were hacked. But besides that, Barracuda joins some decent company. RSA, McAfee, Symantec, Comodo, Kaspersky and Google to name a few have all suffered hacking.

So this really is a case of it could happen to any company. Recently it appears that security companies themselves have been targeted for hacking. For that reason any company that would fault Barracuda for what happened here is really playing with fire. They may find themselves the next one in the glass house while someone else throws stones.

I'd take it a step further. They're not just playing with fire. They're also being stupid and misleading their own customers about just how safe they are.

Josh Corman, one of the razor-sharp minds at The 451 Group, tweeted that he isn't interested in hearing from companies who would say this sort of thing would never happen to them.

I'm with him.

And so all such emails, PR pitches and social networking messages will be treated like the junk that they are.

--Bill Brenner

Copyright © 2011 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)