Vendor Accountability & The Security Supply Chain

  /     /     /  
Publicated : 22/11/2024   Category : security


Vendor Accountability & The Security Supply Chain


A large majority of security leaders say they would switch to suppliers that offer product and service guarantees, according to a new survey.



If they had their druthers, enterprises overwhelmingly would like to see their IT security vendors held accountable for their failures in the event of a costly security breach. According to a new survey out this week, 95% of U.S. companies say they want to see their IT security vendors offer a guarantee on their products and services and 88% say theyd be willing to switch vendors if they could find a competitor who did offer such a guarantee.
Conducted among 500 cybersecurity leaders by Vanson Bourne,
the survey
was carried out on behalf of SentinelOne to confirm the companys suspicions that customers crave vendors wholl put their money where their mouth is.
Security vendors are not economically aligned with their customers. From any vendor, you buy a product—firewall, data loss prevention, anti-virus, whatever—and if the product doesn’t work and the customer gets hacked, the vendor suffers no liability as a result, says Jeremiah Grossman, chief of security strategy at SentinelOne, an advanced endpoint protection firm. We dont see this in any other industry. Not in consumer electronics, not in the clothes we buy, the phones we buy, the watches we buy—nothing. Everything comes with a warranty, a service level agreement or something except in software and security.
Grossman considers himself a
passionate supporter of security guarantees
. He initially made waves in the industry several years ago when he led the company he previously founded, WhiteHat Security, to offer a money-back guarantee. He says that a big part of the impetus behind his move to SentinelOne following his long run at WhiteHat was its willingness to work with him to develop a guarantee.
I think security vendors should know full well how well their product performed or not, and if they know their metrics, they should be able to provide some financial incentives for themselves to do a good job and provide that assurance to customers, he says.
SentinelOne kicked off its guarantee program earlier this year, offering customers $1,000 per endpoint with a cap of $1 million if they suffer a ransomware attack. And now Grossman is advocating among his peers in the industry to get them to fall into line, too.
When I launched the warranty at Black Hat in the summer of this year, I put a call out to the rest of the industry and put them on notice that everybody is eventually going to do this, and if you need help, please ask, he says.
So far, hes had a couple of takers. Most recently was Cymmetria, maker of the MazeRunner Deception Platform. Earlier this month, the firm
launched a $1 million guarantee
against breaches attributed to the successful lateral movement of advanced persistent threats (APTs).
According to Grossman, guarantees like this should complement a companys solid cybersecurity insurance policy. He likens security guarantees to the relationships between cyberinsurance, car warranties and insurance.
Our cars carry auto insurance in the event of accidents, and if we get into an accident, the insurance pays off. If, however, your car breaks down, the engine falls out of it or the tire pops, that’s where the manufacturer’s warranty comes in, he says. While not a perfect corollary, security guarantees by security vendors function more like a warranty and cyber insurance is mostly meant to cover catastrophes.
Related Content:
Do Security Companies Need to Issue Warranties?
10 Things Cyber Insurance Wont Cover
12 Tips for Securing Cyber Insurance Coverage
 
 

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Vendor Accountability & The Security Supply Chain