In my last post, "Rootkit redux: Sony doesn't learn from history," I discussed the problem of a vendor whose software isn't only poorly secured but actually unsecure by design. Similarly, on August 7, Eve Lee questioned whether new Adobe Acrobat features represented an attempt to provide its customers convenience and collaboration -- or collusion and a security breach. Further back, in mid-July, I provided an informal analysis of security software vendors based on a brief, unscientific survey by CNET ("Check out the results of CNET's security vendor survey").
All three of these articles, and many others both here and elsewhere on the Web, share in common a basic lesson in choosing vendors. It may not be the lesson you think it is, however.
Many IT professionals and managers who have purchasing power for their organizations develop a certain amount of brand loyalty over time. In fact, it's difficult to find someone who hasn't -- and even if you're someone who tries to avoid falling into a brand loyalty pattern of behavior, it can be difficult to stick to that policy.
When you have good experiences with a given vendor, it's easy to assume you'll have good experiences with that vendor in the future. It's a perfectly natural way of dealing with people: Trust those who have best earned your trust.As TechRepublic member lastchip said in the discussion of the Sony article, Sony was once a company that more people held in high regard and that gave us the sort of quality products that earned that regard. Things change, however, in the world of corporate vendors. This is really the crux of the matter: We're dealing with corporations, not people.
It's tempting to view a corporate vendor as an individual, someone with whom we can develop a relationship, whose past behavior is a fairly reliable indicator of future behavior. Unfortunately, that simply isn't the case.
Corporate leadership changes, as CEOs and board members come and go, as business divisions undergo reorganization, and as legal and financial circumstances lead to changes in corporate policy. The influences on corporate vendor behavior are probably no more numerous than those on individual behavior, but the entity of a corporation is far less resistant to changes in its trustworthiness than any individual.
I personally was in danger of developing brand loyalty for IBM Thinkpads beyond what was really called for by the cold facts of reality, but I had my growing complacency shaken up by the implications of the sale of IBM's PC division to Lenovo. It caused me to reassess my relationship with the Thinkpad brand in light of significant changes in the management circumstances. While I worry that this change may result in declining quality for one of the highest quality lines of laptop computers, I'm also glad that I had my growing complacency shaken up a bit.
Occasional reminders that there's no such thing as a brand you can trust the same way you'd trust an individual with whom you've established a good relationship are important. While this applies to matters such as hardware quality and financial stability, it's most relevant and important when dealing with matters of security.
Trust takes on a deeper, more pervasive character, and it's more easily and fully violated when misplaced when dealing with matters of security. As I said at the beginning of this, it's possible that some of you have learned the wrong lessons from stories of certain corporate vendors' failures.
If you learned that certain brands don't deserve your loyalty, you missed the most salient point: No brand deserves your loyalty. Just keep in mind that some of them definitely deserve your distrust more than others.