Foolish End Users, Tricky Integrators - What To Do?

I've seen this sad story play out far too many times. Take a foolish end user, someone both naive and hopeful enough to believe that something impossible works. Combine that with an unscrupulous integrator who pushes science fiction solutions to differentiate himself from the pack and win the deal.

The end user organization ultimately loses when the solution does not work. Good integrators also lose as the foolish end user, at first, thinks that they must not be good nor smart enough as the trickster.

Has this been a problem for you? What do you think can be done to minimize this?

When we criticize marketing campaigns, that is one of our objectives - to help educate or at least warn the broader public to misleading and harmful claims. Additionally, we could start promoting IPVM certified individuals to the broader end user community to help 'regular' end users be aware of credentialed, properly trained individuals. What else can we do? What else do you want to see done?

Real world is saying me that business is managed by end user's purchasing dept. If your solution is lower in price than your competitors, you get the contract, even if such solution will not work. After contract awarding the stuff is passed to operations' dept. and in the last it will be their failure if the systems don't work. This without taking into consideration that, due to the long time passing between all phases of the project (years probably), the specific persons involved in the deal at the beginning will be involved in other projects in other countries, and with them all responsabilities will be gone. My 2 cent...

Massimilano, thanks for the feedback. It raises the other side of the issue.

Some end users, with large budgets, will waste their budgets on science fiction systems.

Other end users, with tight budgets, will be 'penny wise and pound foolish' buying systems that are inadequate, fail to meet customer needs and more likely to break sooner. That raises the question - what do we do in this scenario?

The only way is to have the chance to influence the technicl specs on which competitors will bid, but as you easily understand, this phase is already...taken! don't ask me by who...

I have dealt with a client's consultant in one case where the consultant specified a number of required solutions that were either pipe dreams or extremly bleeding edge. After the project failed to progress. I spoke with the consultant who admitted they were trying to push the market to deliver new solutions beyond what they had seen. I am not sure this would have provided a good outcome for the client or the competing integrators if it had moved forward. There needs to be a balance between new products and proven products. Do manufacturers need to do more to prove new technologies in a real world environment?

Jeremy, excellent comment and question.

I have similar stories with consultants. On more than one ocassion, I have talked with a consultant who spec'd a new product that he had neither tested nor was certain when it would come out (i.e., "it's scheduled for 3 months from now"). That's craziness and opens up a huge amount of risk.

You ask, "Do manufacturers need to do more to prove new technologies in a real world environment?"

Absolutely but the tougher question is "Are manufacturers motivated to prove their new technologies work in a real world environment?" Unfortunately, most of them are not. There is little to gain and a lot to lose if the technology is demonstrated as having problems. For them, better to sell on potential than to be blocked on proven failure.

Many times, the projects I worked on were specified and purchased by non-security professionals, most often IT departments. Dealing with science fiction and unrealistic expectations felt like an everyday thing.

However, I found that educating end users was much easier than trying to sidestep tricky salesmen. Granted, it might take some time, but it is very difficult to fake experience.

When I saw the discussion title “Foolish End Users, Tricky Integrators - What To Do?”, my first thought was, “Yea! Finally a thread where consultants aren’t going to get bashed.” Wrong! It took a mere 4 comments before the consultant bashing started.

From what's described, these particular consultants seem to deserve the scorn, especially if they do this kind of stuff regularly as opposed to doing it once and then saying to themselves, "Boy! That was dumb. I'll never do that again." In general though, are security consultants really that uniformly bad, or is it just a matter of a few bad apples ruining the whole bunch?


The Masked Consultant

Masked Consultant, my aim for this thread was not consultants. In my experience, consultants tend to err on the side of caution (just spec Pelco or Honeywell regardless) while integrators tend to err on the side of daring (let's put in this amazing new product that we have no idea will work).

I think it’s incumbent upon both consultants and integrators to better educate the end users in regard to what are realistic expectations for their security systems. Ideally, this should be a cooperative effort (also requiring an end user that wants to be educated). Of course, the first prerequisite for this is that both need to educate themselves regarding what technology is available and what its capabilities and limitations are. In the best case scenario of a good consultant working with a good integrator, they can learn from each other and keep each other honest (“As iron sharpens iron, so one person sharpens another.” Prv. 27:17). That should lead to the best possible solution for the end user.

Here are the tough nuts to crack:

1.) How do you identify the “good” integrators and consultants? I think things like IPVM certification can definitely help with that. Even if it does not become widely recognized by the majority of end users outside of security professionals, (How many non-IT people know about MCITP or RCDD? How many non-AV people know about CTS-D?), it can still be very beneficial in regard to helping knowledgeable security professionals identify each other. A strong network of good, knowledgeable integrators and consultants can help mitigate the influence of the snake oil salesmen.

2.) How can you get manufacturers to stop filling end users’ heads with science fiction, (which enables both the foolish end user and the tricky integrator)? That’s a major uphill battle. I commend IPVM for taking it on, but don’t envy you for it. Ultimately, manufacturers are going to continue to make fanciful marketing claims as long as there is no significant downside to doing so (“downside” meaning lost profit). Calling them out is definitely a start. Testing/debunking them is also very beneficial as that enables that network of knowledgeable security professionals to confidently tell end users, “No, that’s marketing BS. It can’t do that.” (Of course, it doesn’t help when certain manufacturers have an almost cult-like following among a small but vocal group of integrators.)

Best (Realistic) Wishes,

The Masked Consultant

"Of course, it doesn’t help when certain manufacturers have an almost cult-like following among a small but vocal group of integrators."

Gotta be talking about Costco brand, right? ;-)

Good one Matt, you made me laugh out loud on that response.