Security companies shouldn’t be this thin-skinned

Security defenses are not merely about encryption, firewalls and antivirus software. Security deterrence goes beyond technology into the realm of psychology and perceptions. Make a target appear to be more secure and attackers will turn their attention elsewhere. What you say is important. 

A case in point of a security company not understanding the power of perception is FireEye, which recently launched legal action against security research company ERNW. ERNW had issued an advisory about some FireEye security holes. But FireEye’s complaint is not that ERNW got its facts wrong. 

FireEye’s concern is that ERNW revealed too many technical details and that the disclosure exposed more of FireEye’s intellectual property than was needed. ERNW disagreed, saying that the specifics had to be revealed to make clear how the vulnerabilities posed a risk. 

If FireEye had been smart, it would have let it end there. But it didn’t, instead suing the company in a German court. FireEye was “not willing to expose any of the proprietary information that would put our business and customers at risk,” wrote FireEye’s vice president for global communications, Vitor C. De Souza, according to a story in CIO. “Under German law, they were also not allowed to release intellectual property that was not theirs.” 

De Souza’s argument is solid and would be appropriate if made on behalf of an aerospace or pharmaceutical firm. But a security company isn’t like other companies when it comes to the need to protect its intellectual property. It’s that perception thing, and FireEye got tripped up by it. 

FireEye thinks it’s justified to say, “We will do everything necessary to protect our intellectual property.” But what its customers and prospects hear is a scared security company, freaked out by someone revealing a security hole. That’s bad for a couple of reasons. First, the lawsuit keeps the story of the vulnerabilities in the headlines, making it far more likely that it will pop to the top of search results for FireEye. Second, it sends the message that FireEye wants to shut down or even punish a security researcher who found flaws in its systems. From the perspective of customers and prospects, the security researcher is the hero; FireEye’s move makes it the villain in their eyes. After all, it’s not disputing what the researcher said. FireEye comes off as a company that wants to stifle criticism and keep its flaws secret. It’s not a great way to retain your customers’ confidence in your products. 

FireEye did properly patch the holes and announced that to customers. That was the right thing to do, of course. What it should have done next was to embrace ERNW’s findings, give the researchers all of the credit (remembering that customers view security researchers as the good guys), thank the researchers — and then shut up. Wise customers don’t expect a complex security product to be perfect, but they do expect the vendor to be ever ready and willing to improve it when its failings become known. Having failed to convince ERNW that it was going to needlessly expose its intellectual property, its next move should have been to go on about its business. That conveys confidence, which customers want in their security vendors. Taking legal action conveys a lack of confidence in its own systems, while making the company appear petty and vindictive. In other words, it projects the worst possible image. 

And it’s not just customers and prospects who will respond to that projected image. Cyberthieves, identity thieves, terrorists and other bad guys will smell the fear and start probing FireEye systems for similar vulnerabilities, guessing that a vendor that is this defensive will likely fix the current hole and little else.

And if customers and prospects see that there is rising chatter among the bad guys as they thoroughly probe FireEye, those IT execs are going to get nervous and start looking for a security firm that is less of a target. 

FireEye may have made the right move based on recommendations from Legal, but where the heck was Marketing? They are supposed to be the customer perspective experts.