John Thompson’s (Symantec) Ironic warning of “Conflict of Interest”
Infoworld ran an interesting article on John Thompson’s recent CeBIT keynote in which he took a shot at Microsoft by suggesting that there is an inherently "…huge conflict of interest for one company to provide both an operating platform and a security platform."
I suppose that opinion depends upon whether or not said company suggests that their security controls are all that are needed to secure said operating system or that defense in depth is not needed.
Here’s why I find this statement interesting and I am going to twist it by agreeing with the statement within the context of the same argument pertaining to Cisco as an extension to the many, many articles I have already written on this topic.
Given just the last rash of vulnerabilities in Cisco’s routing, switching and security products a few weeks ago, I believe it’s also a mistake (you can read "conflict of interest" if you desire) for Cisco (le fox) to protect the network (le chicken.) That’s the same argument of the "operating system" and the "security platform."
I think it’s simply not relevant or appropriate to simply shrug off issues like this just because of Cisco’s size and the apparent manifest destiny associated with security "going into the switch" — just because it does and more than likely will — does not mean it should and does not mean that people will settle for "good enough" security when the network consistently fails to self-defend.
I don’t disagree that more and more security *will* make it’s way into the network switches, much like I don’t disagree that the sun will rise in the east and set in the west, but much in the same way that folks don’t just give up and go to sleep once the sun goes down, the lightbulb that goes on in my head suggests there is a better way.
/Hoff
The irony in my mind is that the entire security industry — anti-virus in particular — is based on a conflict of interest. Symantec's value proposition is directly proportional to the severity of the threat landscape faced by its customers, and inversely proportional to the effectiveness of security measures in non-Symantec products.
Of course, AV companies go to great lengths to avoid appearance of impropriety, e.g. by prohibiting their employees from having any correspondence with virus writers. But what about that grey area, such as when Symantec Security Response Team produces threat reports on major products (like Vista), which may provide useful information for those looking for wormable flaws?
John Thompson might want to look our for his own glass house, first.
I would not argue with you there. As I mentioned, I was being quite selfish when I used his quote for my own "ill-gotten gains" 😉
I feel so dirty.
Love the handle, by the way. I think that were I to re-title my Blog, I'd call it "PorkBellyFutures" 😉
/Hoff
Companies like Symantec won't let Windows come out with a secure OS without a fight. Their business is pretty much centered on the assumption that Windows will remain vulnerable.