Tuesday, September 20, 2005

Citadel Offers Product Security Warranty

Thanks to this SC Magazine story, I learned that Citadel Security Software is offering a performance warranty on their Hercules vulnerability management product. They say:

"The Hercules SecurePlus warranty guarantees the product’s performance against Citadel’s published service level objectives to deliver timely, accurate and effective vulnerability remedies for known exploits. Citadel’s service level objectives are the expected delivery times for the vulnerability remedies and associated security content produced by Citadel’s internal security team, the Remediation Security Group...

In the event of an information asset loss due to a successful compromise of a computer system where a remedy is available for the known exploit, you can receive reimbursement up to the amount of Hercules contract.

Citadel offers Hercules SecurePlus in collaboration with AIG, a pioneering leader in the cyber security insurance market. This ground-breaking warranty is available at no cost to Citadel customers and is valid for one year from the date of the Hercules license agreement."

There are probably enough loopholes through which one could drive a truck, but I do not recall any sort of warranty like this elsewhere. Citadel may have just pushed the bar a little higher for those who do not offer similar assurances.


Rob Benyon said...

To you and me, what Citadel is offering makes a lot of sense. Surely you are obliged to back your product with a money back guarantee. In many instances you are afforded a money back guarantee. Imagine buying a car and after a few days it stops working or is unable to do the job it was designed to do. I am sure you would demand a refund.

It was FedEx that were recognised as the pioneer in delivery SLAs, when they guaranteed delivery of a parcel by a certain time - or your money back. That is essence is an SLA.

What Citadel has done confirms the research I have been doing and the framework I have developed. In order to manager services effectively, you have to know exactly what those services are and exactly how you are going to manage them. To achieve this, the service provider must develop a Catalogue of Services and a set of Standard Operating Procedures. In other words, identify what you can offer and how you are going to do it. Only then can you tell the world what you can do and enter into a managed services environment with an SLA.

Citadel seems to have done this very well by:
"Guarantees the product’s performance against Citadel’s published service level objectives"
"For known exploits"
"Vulnerability remedies and associated security content produced by Citadel’s internal security team"

Money back guarantees are not unique - yet may be so in this segment of the security industry. Rather than jump for joy that this has happened, we should be asking ourselves, what took you so long! I am sure as an ICT service provider, security is part of the package you offer. Just shrugging your shoulders with an "unlucky for you" attitude when your client gets hacked is not going to make for a sustainable working relationship.

David Maynor said...

This is nothing new, ISS has been doing it for years:

"Guaranteed service level agreements and a $50,000 money-back warranty ensuring 100% accountable, reliable protection"

tweedledeetweedledum said...
This comment has been removed by a blog administrator.