Bait and switch. There is a lot more bait and switch in security than you’d expect. I can call it the silver bullet problem. Companies like Norse show up and claim to have solved our problems. It’s like Napoleon Dynamite’s speech during his presidential debate. It was promise, promise, promise, ‘and if you vote for me, all of your dreams will come true.’

I’ve heard security pros talk about getting rid of firewalls altogether because bad guys can get around any firewall. Okay, so in isolation, that’s true. But that completely ignores compliance, potential for mistakes, or SIEM data. Espousing magic bullets is bad.

I’ve also heard people say things like, ‘that’ll be easy’. Or, ‘can’t you just’. That’s disparaging, first of all. We aren’t machines, at least not in the computer sense. We have pride and ego and emotion. Saying someone else’s work is ‘easy’ or trying to ‘get them to just’ is dismissive and hurts their pride. It’s important to not be a jerk in your life, and saying things like, ‘that’ll be easy’ makes you sound like a jerk.

If  your product or service does a few things very well, sell those few things. If you then cut some of your product or service to meet the customers price, you are performing a bait and switch. You show them the brochure with all the features, and you gain positive imagery for success with all these feathers, and then you start to promise the customer a really good price, and at the end give them something with a few options deleted. That’s bad. It’s also embarrassing. I’ve been publicly embarrassed by my inability to deliver what I know the customer needs because someone around me bait-and-switched.

And without budget, what can you do?

I have a potential solution, though I don’t hold my breath thinking it will happen in our industry. People like verbosity. People like big, bang, powerful, fancy-fancy words. People like to solve all your problems and make all your dreams come true. But here is my potential solution:

  1. Be honest. If your product/service only does X, then tell people you only do X. Say it in a nice way. But don’t be dishonest.
  2. Deliver. If you sell something and make promises, deliver on those promises and manage expectations. It’s embarrassing to work with people who cannot deliver.
  3. Be kind, but fight. Fight for what is right by the customer, but be kind about it.
  4. Find efficiencies by finding customers willing to spend. Don’t cut and cut and cut. Customers don’t care about you. They are happy for you to lose money. Well, some are. Try to avoid those, if you can. You don’t need to be bullied. You only live one time, try to spend that time in the company of good people. There are exceptions. If you can work with a game changer and they happen to be led by jerks, well maybe you suck it up (pride) and learn from them.

Infosec and cyber security is super cool. But it’s an industry like many others, and it’s full of BS, dingbats, and jerks. Try to avoid those things in how you do things and then we can all find some real solutions to real problems