The Rift Between Defenders and Vendors

Apr 9

3 min read

Reddit didn’t just flame us—it exposed something deeper.

All we did was ask what we thought was a simple question:

"How are you securing remote admin access to firewalls / routers these days?"

Cue the drama.

The loudest backlash wasn’t even about the question or premise. It was about the trust gap—a growing rift between practitioners and vendors that’s turning collaboration into conflict.

And honestly? Both sides have a point.

⚔️ The Cold War Between Builders and Buyers

Practitioners are tired. Tired of sales-led hoops, tired of buzzwords, tired of “AI-native Zero Trust XDR” that breaks in staging.

Vendors are tired too. Tired of being dismissed before the first real technical question is asked. Tired of being automatically lumped in with the worst actors in the space.

And stuck in the middle? A festering wound of miscommunication, defensiveness, and mutual disrespect.

🔍 Two Posts, One Problem

This week, two totally different posts on LinkedIn hit the same nerve.

Post 1: The AI CISO

An AI-powered CISO tool was announced. The reaction? Brutal. Practitioners tore it apart—sarcasm, scorn, the works.

But here’s the uncomfortable truth: a lot of orgs actually want that.

Why? Because security often comes off as elitist, obstructive, or just plain unavailable.

Now imagine an AI that:

Speaks clearly
Doesn’t talk down to you
Costs $100/month instead of $400,000/year

Will it solve everything? No.

Will it feel more useful than a disengaged security team? Yes.

Honestly? With attacks spiraling and complexity out of control, it might even show better ROI than half the security bloatware on the market. You’ll still get breached, as most practitioners like to candidly admit—but hey, you just saved $398,800 while you were at it.

Post 2: No More Technical CISOs

On the other end of the spectrum: someone argued that CISOs shouldn’t come from technical backgrounds anymore. As if security leadership is now just a GRC-adjacent compliance role or a security themed CFO.

That’s not just wrong. It’s dangerous.

Security must be grounded in the mechanics of software, infrastructure, and attack surface realities. Strip out the technical core of the CISO role, and you’re left with security theatre. And attackers love a good show.

💥 These Two Extremes Point to the Same Truth

The industry is fractured. And the trust deficit is real.

Vendors feel ignored.

Practitioners feel abused.

And the people responsible for paying us have no idea what we are even doing anymore.

Let's be honest:

The Vendor Side Is Messy Too

We’ve all seen it.

IAM vendors getting breached—and hiding it.
Cloud vendors being compromised and denying it.
Zero Trust slapped on a product sales deck without re-architecting a thing.
AI features added overnight… but nobody can explain how they work.

No comment on the first two—those are just inexcusable. But we’re really supposed to believe these legacy stacks got Zero Trust and AI-native in six months?

Of course not. They just rebranded.

The result? Mistrust. Everywhere.

And it’s earned. This space is addicted to buzzwords, allergic to accountability, and seemingly cannot agree on a clear definition for anything.

But let’s not pretend practitioners are perfect either.

🧠 Practitioners, Stay Curious

Disagreeing with vendors is fair. But dismissing every new idea without even asking how it works? That’s just defensive cynicism masquerading as expertise.

Challenge ideas. Ask tough questions. But leave room for real dialogue.

Because when we only object without offering a reason, we push away people who might actually be trying to build something better.

And no—“can’t work” is not a reason.

✅ What We Actually Need

Let’s drop the act. Nobody wins in a trustless industry.

Here’s what we do need: