Speaking as someone who used to work for computer software companies, I find it perfectly plausible that software vendors could know less than their customers, or at least less than some large fraction of their customers. A lot of the things traditional software companies base product plans on (internal engineering ideas, analyst advice, competitive matrices, etc.) don't necessarily reflect real knowledge about what works and what doesn't. The problem is exacerbated in the security field because of the dearth of real-life information needed to create such knowledge.
Posted by Frank Hecker at April 16, 2008 11:14 AM