I wonder if we should take mandatory breach reporting a step further too and require them to list all security vendor products and services that were in place at the time of the breach.
Should security solution vendors be held to account for failing to live up to the bold claims they make?
It may not be workable, but when big businesses have invested millions in tools and services I can't help feeling there should be some vendor accountability.
That would be unfair, as the efficacy of most products depends on how they are configured, monitored and maintained.
For example, if I install an application whitelisting system, but whitelist too much, pay no attention to logs and alerts, or never patch it, then that's not really the vendor's fault.
Should security solution vendors be held to account for failing to live up to the bold claims they make?