An IBM security expert ripped the scab off the dirty little secrets of the security industry in a highly entertaining presentation Wednesday at Interop. Joshua Corman, principal security analyst at IBM Internet Security Systems, highlighted the gaping divide between what customers think they're buying (safety) versus what security vendors are most intent on selling (stuff that'll bring in the bucks). Here, in condensed form, is his list.Vendors do not need to be ahead of the hackers; they only need to be ahead of the buyer.

"It's not about chasing the enemy," explained Corman. "It's about chasing the buying decision." Meaning, the goal isn't necessarily ultimate security -- it's to make money. Hey, I don't make the news, and neither does Corman. Nor is this one intended as a slam against security vendors; it's just a recognition of the reality that it's a natural tendency to hold some feature or cutting-edge protection in reserve, for the next version. In security, as in apps or operating systems, very often "good enough" is good enough for the current release, and more in tune with customer expectations, besides.

Antivirus certifications do not require or test for Trojans.

Betcha didn't know this one; neither did I. Apparently, though, formal security-software certification suites only check for effectiveness against viruses and worms, not Trojans. This might change in the near future, thanks to the efforts of the newly formed Anti-Malware Testing Standards Organization. However, right now certification doesn't buy you security certitude, which is a very bad thing because Trojans constitute up to 80% of the threats you're liable to face.

There is no perimeter.

Think you're protected by your corporate firewall? Think again. What about that laptop, loaded with sensitive data, which you took home from work? (Please don't leave it in the car.) Corman's comment on this one applies to a lot of us: "I'm never in a perimeter."

Risk assessment threatens vendors.

This dirty secret relates to the fact that a risk assessment of your enterprise would likely turn up the fact that your weak points don't align against what a vendor is trying to sell you. But he probably won't clue you in on that at the expense of his sale.

There's more to risk than weak software.

Corman points out that, even if all software were perfect, there would still be security problems. Phishing, social engineering ("This is IT calling; give me your password"), and viruses, which don't depend on software flaws, are all ongoing risks.

Compliance threatens security.

The need to pass security audits looms so large on the list of most chief security offers that it diverts attention away from real protection. Paradoxically, Corman notes, compliance is actually dragging most enterprises down to a minimum level of security (the minimum they need to pass the audit).

Vendor blind spots allowed for the "Storm" botnet.

This one's a little too specific to be on a list of generic flaws, if you ask me. However, it definitely dovetails with Corman's contention that we're far too often looking at the forest and missing the trees. Or Trojans.

Security has grown well past the "do it yourself" stage.

Seems obvious. Corman adds the caveat that implementing security technologies for their own sake is a waste. As he puts it, "technology without strategy is chaos."

OK, so we've gone through a list oriented toward enterprise customers. What about consumers? LOL. They're called "lepers" to some in the industry. As in, mom with the PC is gonna shell out her $75, or not (if she doesn't activate the trial software which came with her system), and that's all she wrote.

Has Corman missed anything? What's on your list of dirty security industry secrets? Drop me a line or leave a comment below.

Like this blog? Subscribe to its RSS feed, here.

For a mobile experience, follow my daily observations on Twitter.

Check out my tech videos on this YouTube channel.