With all the recent talk about cloud security, I’ve really been struck by the blatant deliberate confusion promulgated by various industry stakeholders. For example, last week around RSA I saw a nonstop stream of press releases containing the word “cloud” for products and services that were merely the same old beloved security tools, now rebranded to ride the froth of the cloud marketing wave. But ‘cloud’ is only the latest example – from NAC to DLP to GRC and other technologies of yore, we see often-deliberate message dilution and confusion so certain poorly-positioned individuals or companies can avoid being left behind by market innovators.

We don’t just see this in security; calling yourself “green” is an instantly classic example (hello “green” bottled water), but I do think we see it more in security than other areas of IT. When you think about it, we are probably the farthest reaching area of IT- spanning everything from development to storage to desktops to networking, and as such have a fair bit more running room. You might be able to rebrand your storage solution “green”, but it isn’t like you can call a hard drive a WWAN SAN just to hop on a trend (having been to many non-security conferences, I think this is a reasonably safe statement).

And what I’m focusing on today isn’t mere bandwagon hopping, but purposeful efforts by laggards to create confusion in a market and defeat clarity. I call it the Anti-Disambiguation Movement, and it follows a predictable path. The movement is led by vendors, press, and analysts; with end-users (and some innovative vendors) suffering the consequences.

Here’s how it works – when a vendor is late to the party, they start issuing a bunch of marketing chaff to distract everyone from the real innovation. This takes a number of forms (which we will talk about in a moment), which result in one of several outcomes (which we’ll also detail). Interestingly enough, I think this tracks very nicely with the Gartner Hype Cycle (I love the Hype Cycle, and am sad I don’t get to use it anymore).

Let’s start with the methods (I’d apologize for the language, but you should be used to it by now):

  • The Marketing Cock Block: A large vendor claims that they are bringing a product to market within a nebulous time frame, when they have no existing product in that market. The goal is to Osborne effect any direct competitors or small vendors in the space by creating a belief that the “official” solution from a stable supplier is just around the corner. In some cases the vendor has a product, but it isn’t close to competitive.
    Example: Microsoft and Cisco with NAC. Neither had a viable solution until relatively recently (and that’s still debatable), but that didn’t even slow down their marketing efforts and interoperability announcements.
  • The PR Territory Piss: A variant of the Cock Block in which the vendor issues extensive press releases on their ownership of a trend, which they may or may not later buy or build into.
    Example: AV vendors and antispyware.
  • Malicious Confusion: Vendors know they don’t have an offering in that market/trend, so they expand or otherwise deliberately misuse the definition of that trend to include their products under the hot umbrella. The goal isn’t to produce anything for that market, but to create enough confusion that whatever they already had on the shelf can be marketed with today’s cool term. They purposely and maliciously create confusion for their own benefit. Ideally, they even convince some press or analysts to include them in a market list or product evaluation.
    Example: DLP and USB port blockers, endpoint encryption, and about a dozen other things that have nothing to do with DLP.
  • The Glom-on: A trend starts hitting and clumps of vendors start piling on for the ride, making a subconscious but collective decision to link their market to the trend until the trend/market definition becomes so diluted as to be worthless.
    Examples: Cloud and information-centric security.
  • The Lemming Roller Coaster: A trend becomes hot, and less-intelligent vendors jump on, usually late, without really knowing where they are headed. The lemming is less deliberate than some of our other examples, and typically the result of a brain dead marketing/PR type. It’s usually smaller companies, and may lead to their death once users figure out the product doesn’t help with that problem, or after they score poorly in magazine/analyst ratings.
    Examples: Seeing this a lot with DLP and a bit in GRC.
  • Unintelligent Design: Some ass-clown of an analyst invents their own term for something, often issuing some sort of market report, triggering one of the other methods listed above.
    Examples: The Anti-Disambiguation Movement… and GRC.

The result falls into these categories:

  • Death: The trend/market becomes so toxic that it dies, taking the slower companies with it.
    Example: PKI.
  • Clarity: The ambiguities fade away and clear definitions emerge, although often not until after a few early innovators die.
    Example: NAC.
  • Redefinition: The term/market is redefined, but doesn’t necessarily resemble its original form.
    Example: I think cloud security is headed this way.
  • Meaninglessness: The term becomes so diluted it’s essentially worthless, even though there might be some nuggets of truth in there.
    Example: GRC.

I’m having a bit of fun here, but the simple truth is that very often market terms are atrociously abused by laggards, often (deliberately) damaging the real innovation and innovators.