Preface:

Last month, we kicked over the proverbial bee hive with our comments regarding the RSA conference. This month it seems that another irritant has managed its way into our lives. It is a security event (webcast) marketed by CSO magazine, sponsored by SecureWorks, and hosted by an analyst from Forrester Research. Though we have no desire to replace Andy Rooney on 60 Minutes or turn this monthly opinion into a blog for malcontents, this bothered us so much we needed to comment. We should note that it isn’t the event itself,or the companies involved, but instead the trend that it represents to which we shall address our comments and ire.  During this process, it will be necessary to relay the entire story (along with a healthy dose of sarcasm) in order to illustrate the issue.

Reference:

We felt that this definition might come in handy during the article *evil grin*.

in·de·pend·ent - [in-di-pen-duhnt] – adjective

1. not influenced or controlled by others in matters of opinion, conduct, etc.; thinking or acting for oneself: an independent thinker. 
2. not subject to another's authority or jurisdiction; autonomous; free: an independent businessman. 
3. not influenced by the thought or action of others: independent research.  

Definition supplied by Random House Unabridged Dictionary (Thanks Guys)
 

The Story:

Like many of the members of our site (which has grown far beyond our expectations), most of us are also members/subscribers to CSO magazine and their associated on-line portal.  As a result, we are pelted regularly with promotional materials from third parties. Of course, this is opt in, so the magazine is merely giving us what we asked for. 

So, what is so profound?  While checking our email the other day a couple of us noticed a message from CSO Online with an email subject titled “Analyst Pxxx Sxxx Discusses the Benefits of Using Managed Security Services...” ; you may have received it. Of course, to be fair, we have obscured the analyst’s name so as not to single him out. Anyway, the title seems harmless enough, maybe even interesting at first glance. The fun starts when you look a little deeper. 

Pxxx Sxxx is an Analyst with Forrester Research.  As directly quoted from the Forrester web-site in the About Us section: “Forrester Research, Inc. (Nasdaq: FORR) is an independent technology and market research company that provides pragmatic and forward-thinking advice to global leaders in business and technology.” Aside from being somewhat Dilbert-esque, nothing wrong there…right? 

Let's take a closer look at the email message: a 30 minute webcast hosted by Pxxx from Forrester Research on the benefits of managed security services. Hey, wait a second, the email also identifies the sponsor as a firm that specializes in offering solutions for managed security service (Secureworks).  Hmmm, we thought that Pxxx is an analyst for Forrester, an INDEPENDENT research firm.

Let’s ponder this for a moment. What would happen to Pxxx if he presented predominantly negative opionons and concepts regarding managed security services during this webcast?

Since it is sponsored by a managed security service provider, is Pxxx going to be truly able to speak frankly regarding the subject?  Because we are firm believers that every topic offers both pros and cons. How is Pxxx going to address, in an independent, unbiased manner the inevitable question: “Pxxx, that sure sounds sounds great, but what aspects of Managed Security Services Suck?”

Honestly, how free is Pxxx to present objective information or opinions under these circumstances? We must admit that, deep down inside, it would be great comedy to watch Pxxx bashing managed security services during this presentation *evil grin* while the executive team from Secureworks watched in horror. That would be truly awesome, and might make for a great television episode of  “The Office”. However, we all know that  Pxxx is not going to do this. He’ll play nice (as he should), and will be restricted in his comments and information through nothing else other than courtesy and professionalism to his sponsor.  But who is served in this situation?  We’ll give you a hint, it’s not the consumer.

The Issues:

1. This event is a commercial leveraging the so called  “Independent” reputation of Forrester Research.
2. CSO Magazine should know better than to distribute an advertisment containing such a potential conflict of interest.
3. Forrester Research, please don’t profess to be “Independent”, if your team is going to participate in such marketing events. In our opinion, you were already on shaky ground with the previous case study you performed with/for Secureworks.
4. It is clear to us that, though the analyst may be discussing Managed Security Services in general, he will be providing a tacit recommendation to his sponsor.
5.  Secureworks: This is very creative marketing. Part of us says “Bravo…more power to you.” The other part is saddened that it’s "business as usual" in the world of security marketing.  These tactics make it hard on everyone in the domain of security by obscuring information.

In conclusion, the symbiotic relationship that we are witnessing between CSO Online, Forrester, and Secureworks happens far too frequently in the security community. These companies did not create the system, but in our opinion they are certainly exploiting it. What saddens us and hurts our profession is that it is the end user (All of you CISO’s, and CSO’s out there) that pay the price in the form of information that is either biased, inaccurate, or both.

Additionally, it appears that the problem is worsening as time passes.  It is moving beyond the realm of research firms, product vendors, and large consultancies, where it has been festering for years, to conferences.

At conferences, it is interesting how the best speaker time slots are often given to the premium sponsors of the conference. Now this situation is fantastic for almost everyone with the exception of our friend the conference attendee, who may not be interested in who spent the most in sponsor dollars.  Perhaps (and we know this is a wild idea) they are interested in the speaker with the best content during premium times. Next time you are at a conference, take a look and draw your own conclusions. (Quick disclaimer: we aren't complaining, we usually get good time slots when we speak.)

Conclusion:

The level of information manipulation in our industry occurring at this time is ridiculous, causing security officers around the world flying blind in many cases. Our recommendation is simple: Take particular interest in the origin of the information that you trust to make decisions. Verify that the independent, objective information that you recieve is truly independent, objective information. Not a paid infomercial.

Parting Thoughts:

Now we know that a bunch of people from Secureworks and some of the other companies mentioned in this article are members of this site, and we welcome you to comment about our opinion on this subject. Our intent is not to bash on the three companies in the story, in fact we think that they all do add value in different ways.  Our only interest is to focus on the bigger issue: the distortion or manipulation of security information.  

Finally, we should also provide the following disclaimers for ourselves: Our day job (the one we get paid for) is as security consultants that build organizational security programs. Our free job, the one that is taking way too much time these days, is this portal. Most of us are invited to speak at various security conferences regularly and some of us do spend time providing input to research firms. Forrester is not one of these firms (If it was, it probably wouldn't be in the future :) ).