Root Cause: Supply Chain Vulnerabilities Unspoken Truths
This is not about a person, a competitor, or a company. It’s about what we could do as a collective. I learned at a very young age from my father – vote with your wallet. Meaning, if a company does things you don’t approve of, don’t spend money with them. Working together to create pressure for positive change in a company, is a sure way of making a stand.
Supply chain vulnerabilities are obviously real. But what I find more troubling than this, is ignoring where they come from, and if you’ve read my posts, you probably already know that. We’re a tight nit bunch in the cyber security world, so I’m not going to single anyone out, rather show you an example of how we don’t hold the supply chain accountable.
We have a competitor – let’s call them CompX. I’ve been watching from a distance and over the past few months, they’ve started highlighting some of the strategic partnerships they go to market with. It’s an impressive list…or at least I thought it was. When I researched some of the companies I was unfamiliar with, I instantly thought they were well connected.
But is the list just a way for them to make money, or is it a genuine effort to help customers protect themselves? I’m just not sure.
Let me give you a couple of examples, so you understand my confusion as to what this company is truly offering.
Example 1: “CompX is a cyber security company working with leading vendors. This empowers us to deliver premium services. We only want to bring you the best so this week we are going to spotlight the prominent vendor Abnormal. Abnormal is great because…”
Example 2: “CompX is… We only want to bring you the best so this week we are going to spotlight the prominent vendor Prevalent. Prevalent is great because…”
Example 3: “CompX is… We only want to bring you the best so this week we are going to spotlight the prominent vendor runZero. runZero is great because…”
You can see what’s happening here – the partners themselves are impressive. But this week and much to my dismay, I saw their spotlight partner of the week and my alarm bells went off. This is where I think we have a bigger problem than just supply chain vulnerabilities.
The folks running CompX are brilliant minds; they have a ton of experience, and they know what they are doing. Yet something is compelling them to recommend #Fortinet. And that something is the problem. As a practitioner, as a customer, or just as someone that pays a bit of attention here and there, we all know the havoc Fortinet has wreaked on their customer base with the volume of vulnerabilities they inherently bring.
And that got me thinking.
Until we fix this problem: recommending solutions to secure an organization that actually makes it vulnerable – how can we expect to ever fix the supply chain? It reminds me of Microsoft, ‘Let’s get into the security game so we can charge customers money to secure the vulnerabilities we sell them.’ WHAT?!
At least Microsoft is now trying to penalize their executives. What else can it do? They are too big to fix themselves. And at Microsoft the only reason they are trying with the executives is because they are evidently embarrassed. With glowing reviews like the one from CompX, how can Fortinet suffer embarrassment?
Did you know, some cyber insurance companies won’t even cover an organization if they have certain #Fortinet products? Do you know an organization is almost as likely to have a cyber insurance claim if they do have Fortinet, as if they have opened RDP to the world? https://www.linkedin.com/feed/update/urn:li:activity:7195767796285194241/ It’s on page 9 and there’s a graphic – it’s all you need to see.
“Business with Internet exposed Fortinet devices were twice as likely to experience a claim in 2023.” Guess where Fortinet NGFWs sit? Guess what CompX was recommending specifically? Fortinet NGFWs.
Competition is great. I love competition – it makes us better. I love the fact my competition recommends Fortinet. But this message isn’t really about what they are recommending. It’s about you, the customer. Is the customer more important or is making money more important?
At Teneo we exist to secure our customers’ networks. It’s not just a saying, it’s what we do. We don’t exist to make a dollar (of course everyone needs to eat), but that’s a side effect of securing our customers’ networks.
I want to see Fortinet improve. I want to see them do a better job. I want to see the customers they support avoid cyber insurance claims. I want to see cyber security professionals including #Gartner stop recommending companies with bad vulnerability track records. When they get better, we all do too. It creates more competition and the only one that wins with more competition is you – the customer.
I understand either relationships are involved or money is involved. Use the relationships to help fix the problem. Use the money as leverage. Until that happens, we won’t fix this problem.
I would love to hear I’m wrong. I’m not talking emotionally; I’m simply speaking the facts.