The opinions expressed herein are my own and do not represent my past, present and future employer’s views in any way. Nothing posted here should be considered official or sanctioned by my past, present or future employer or any other organization I’m affiliated with.

Vendor Security Engineer

Written by Duarte Castelo Grande de Carvalho (dcgc)

VENDOR

Back in the day, we witnessed so many reputable brands, so many recognizable names, so many legacy households. Long before we start our careers in IT and when we are studying in university, we go to the career fair, and we see all these stands and booths everywhere. We get amazed at the grandiosity of the famous logo; we see it mentioned throughout our studies and the majestic presence of the company intimidates us. It is curious that after a few years of working in IT and working in Security, I look back at my time at the exhibition stands and at my time at the academy while studying, and I see how I feel about Vendors in general nowadays and witness the drastic change of opinion I have had, especially after working for one (in several positions) and after working with several products from different Vendors. From the customer side, it is a lot of smoke and mirrors (most of the times), no doubt about it, but we usually don’t understand much of what goes behind the scenes. It is also more than what we perceive as customers. There are different roles within a Vendor company, meaning that each person we meet at the fair, has a different task and a different goal in mind. Some align more with cheating the customer, but others rely more with supporting the customer to the best of that person’s abilities. After a long period of working for a Vendor, I came to several conclusions and hope to address them here. Bureaucracy, autocracy but flexibility and adaptability: each place is different and not every company is right for a person in the IT industry. I wanted to know what is to work for a Vendor when you are not supporting or selling their product. What would a person do if not that? I succinctly learned some hard truths and what guarantees you a position in such places. It was made known to me what was needed to keep your seat and, in some cases, to move up the ladder or get admission somewhere and somehow.

What roles are available

Vendors are focused on delivering products, services and subscriptions. For all of these they need manpower. So, a lot of the people working in these places are a cog in the machine, even if their title doesn’t convey so (some people enjoy that, others don’t). Suffice to say, you need that manpower especially if the organization is international and worldwide. The demand from customers and the frenetic pacing of buying/subscribing in different timezones, warrants the organization to pull up their sleeves, get to work and assure that the customer will be on their side, at all costs. They are a business. They need to guarantee that a customer will be with them. Selling the dream, sweetening the deal and making sure the lifeline is still beeping are the day-to-day activities from the Vendor organization. Most roles inside the Vendor organization are related with all of this.

In the Security spectrum, you have different types of roles: some are associated with the magic show of showing off products, some are related with supporting the charade of products and customers (being the customer’s butler), some are in the basis of building and configuring these based on unfounded templates and “god knows what” design/architectural decisions, and some are more related with Technical Security PR. All of these positions are to serve the Vendor, its customers and its bottom line (both the Vendor and the customer). You will have a few roles where you will feel like you are advancing and developing something new in the industry, but in actuality, you are helping the Vendor’s business and it is an illusion of grandeur. I have accepted with naivety some of them but knowledgably rejected some. The experience of discerning what is right from wrong for you, comes with time and experience.

Unfortunately, there is no blueprint in differentiating what role is good and what role is bad in a Vendor company for several reasons: a lot of the information is gatekeeped and not public, and if it is made public, it better be anonymous or else you will be kicked out of the office building; and the titles for each role are similar in a lot of cases, but in other situations, they have different naming even if the role itself is closer in reality with something else.

What Vendor doesn’t want from people

Give me a hat, make it black. Give me a R, a S and an A from the alphabet soup. Give me a quadrant and sprinkle it with some magic. Vendor is all about telling, showing and dealing, even if the product and/or service is subpar. It’s part of the business, after all. The organization needs its employees by their side, infallibly, even if the tide is not turning in their favor. If you have anything to add or need to give your two cents, it better be what they want to hear and not what they need to hear. The message given to the customers is very important for the business of a Vendor, and if you have employees or people associated with the Vendor brand having disparate opinions and arguments, you create confusion to the customer and conflict inside the organization (even if you are right). Constructive critique, counterpoints and loud voices is not something the Vendor wants for this specific reason.

What Vendor wants from people

Like in the army, the higher-up is always right, even when it is wrong and doesn’t know why. You need to follow their little orders; you need to follow their petty chain of command; and you need to respect their AUTHORITAH. The Vendor has an unique message it wants to sell because it is part of its business strategy, so anything outside of the lines of what was decided, gets cut, ignored, or bringed up to attention internally so it doesn’t get voiced again, and so that it gets voied once more. It is understandable: the business has a marketing plan, has a business plan and has a product placement in the market; everything needs to align or else it fails. Employees, because of this, have to follow what is being told and have to be careful when suggesting change. For example, “There’s never been a better time” motto actually means “There’s never been a better time to not get fucked once again and acquire another lousy product”, but that goes against the motto of the company.

What was I offered?

I worked in the support world (notable if you read some of my other blog posts). Support world is a blend of kissing your customer’s ass but also being confident technically (or not) and solving some technical issues (sometimes). There are different supports in the Security domain inside a Vendor company and where I worked are examples of such. If you are in the Technical Assistance Center world, you are helping in first-hand with the products the Vendor company is selling and are actually trying to solve issues with the product, on pressure. Your performance, the outcome, most of the times, dictate the customer’s happiness and willingness to stay with the product, so this position involves a lot of suave. If you are in the Managed Security Services, you are helping managing and operating the customer’s infrastructure portion that contains the Vendor’s products and are trying to make it so that it continues operating correctly and that no fire breaks out. Your effort, the results, often more than not, are the deciding factor for a customer to build their own ITIL-based Incident, Change, Problem teams or to continue with the piss-poor MSS it hires/subscribes to. If you are in the Security Operations Center world, you are “combating the evil guys” and working on providing and solving “security incidents” around ill-intended attempts from False Positives, automated interactions and real campaign profiles. Your committment, the security incident handling, will a lot of the times, establish the base for the customer’s determination in building their own SOC or to continue to have a contract with the clown-grade SOC it gumps to.

Why was I not offered?…

Relationships are a very important factor when it comes working in corporation, because these types of organizations are what the vendor companies represent at the end of the day. A lot of the positions, budget allocation, have to do with business decisions. This forces positions to be opened or closed in different parts of the world and in different departments. This also means that different people are ahead and different people are behind the consideration of other people because of their geographical position. Example, HQ is in USA so the deciding roles and big decisions will stay and be made there; other offices in the world end up working in jobs to support decisions made in USA. The other deciding factor comes down to favouritism, meaning that if you know a certain person and are in good will with them, the better are your chances to get a certain position, despite your actual knack for the job. It is what we call in my country cunhas. A lot of the roles inside a Vendor company come down to this because you are used to speak the schpiel and walk the funk they want to hear. You add to this some friendliness, delicacy and other nice behaviours, you will most certainly get the job (maybe you need to fake an interview or two, but your friend will put a good word for you). Example, a Customer Success Manager role requires someone with capability to have worked in different customer facing positions and that is able to speak to the customer in layman terms, not only this, but to be able to present in front of them; but because you are friends with a person who left the company for a very brief period and doesn’t know much about such a role outside of technical support, and loves the Vendor blindly, that person gets the job and skips the interviewing process.

Enough is enough?

Maybe it is time to put a final nail in the coffin when it comes down to how Security Vendor positions are mishandled inside a Vendor company, given their importance for the whole product cycle. Maybe, enough is enough, man. Speaking as a customer (now), what I expect from a Vendor company is what it advertises: quality, caliber, prestige, stature, eminence, etc. The shitty marketing people and the non-detailed explanation of product that we never want, has got to go. Vendor always makes promise of an easy process and never fullfills. Please, stop… I don’t expect lazy security people and average joe at these positions, silver bullet (silver bullet preys on people who don’t know any better) and easy button bullshit being stuffed down my throat, being led by marketing and sales department one more time, and being driven by that “pay for award” bullshit that is destroying the industry, which, when it doesn’t work as intended, vendors are never hold accountable for their incompetence. The Vendor focuses on who can maximize, who can exit and who can walk away with a golden paycheck. Their mission is money and it is a business. I understand that. But outright lying is outright lying, and outright laziness is outright laziness. If you are falling for it, you deserve it… I guess. If you onboard a tool that detracts the security of the company, wastes money and time, and deviates from the mission and direction of the company, that is on you… I guess. But it doesn’t mean that the Vendor company can get away with doing what they are doing.**

All in all, Vendors have to be willing to do a better job, increase quality of transparency. How does your stuff works, how it works, what it does? Also provide clarity for easy conceptual understanding. Educate your customers and you can help them avoid the flak. So, for this, we need proper people at these positions. Don’t go hiring some monkey wrench…

Blog posts about Information Technology, Information Security Industry and Life. Whatever comes to my mind.

Information Security Technical Articles/Notes

Pages containing reviews and notes about Information Technology and Information Security technologies. Whatever I am studying and working on.

Vendors

Pages containing reviews and notes about Information Technology Vendors products and services. Whatever Vendor I deal with in my professional career.

Videogames

Pages containing notes about Videogame development tools and technologies. Sometimes from studies, other times geared towards Game Jam and Cinema VFX.

Cinema

Pages containing reviews and notes about Cinema. Whatever I come across regarding my movie watching and involving my studies on cinema.