I wonder why some people is so much shocked by what Cisco’s Chief Security Officer John Stewart publicly stated two days ago:
If patching and antivirus is where I spend my money, and I’m still getting infected and I still have to clean up computers and I still need to reload them and still have to recover the user’s data and I still have to reinstall it, the entire cost equation of that is a waste.
It’s completely wasted money.
I’m sick of blacklisted stuff. I’ve got to go for whitelisted stuff — I know what that is because I put it there.
Needless to say, antivirus vendors are violently shaking their heads, and Cisco is not exactly super-partes, since it partially competes on the same enterprise security budgets. Also, I wouldn’t go so far as saying that you shouldn’t be patching your buggy software, or that a free antivirus scanner can’t help preventing your mum from getting caught by opening that apparently innocuous PDF attachment, or that the new Firefox 3 anti-malware features are not be greeted as godsend…
But this pretty logical if not just obvious concept is not new at all, even if kept in the dark as a dirty secret — maybe because you can’t build a long-term subcription-based business model around it?
And you can’t tell I’m a last-minute convert :)