I cannot possibly imagine what effective tools Bruce Schneier is talking about. The people I saw there whose tools actually work were in the 10% minority. Look I know I can run Fortify or Ounce on your code and find security bugs, but that is two vendors out of a gajillion. The vast majority of those people are selling toys to security "professionals" who want to play cops and robbers on the shareholders' dime. Then the vendors wonder why people don't want to pay for these toys, guess what guys - Christmas/Hannukah/Diwali/etc only comes once a year! You gotta find something to sell besides toys and shenanigans for the other 11 months a year.

We are not debating the efficacy of side airbags versus the side curtain airbag. Its the efficacy of undercoating (hopefully they have sleazy car sales people in the uk so i don't have to splain this), its shenanigans.

I remember back a few years, a company buys a seven figure (!) identity provisioning suite from a large vendor. Now they are closing the deal and this sucker is supposed to integrate all their disparate directories, provision roles, propagate attributes, the whole nine yards.Well so as the deal is closing, the big regional sales guy flies in and sort of oozes his way into the meeting and says 'hey, uh, now that you guys got this software, what kind of hardware can I sell you on?" and proceeds to launch into this sales pitch. omfg, THEY JUST SPENT MILLIONS OF DOLLARS ON YOUR IDENTITY SOFTWARE - PLEASE MAKE SURE THIS ACTUALLY WORKS (which it didnt/doesnt) - AND PLEASE STOP SELLING FOR TWO SECONDS.

These big companies have all these "security" products which are little web enabled toys, they all generate reports really well, but the companies don't buy them for a security product they buy them so they can sell you a bunch of operating systems and hardware that no one wants. The money does not go as Andre said into improving the product it goes into booths and shenanigans. That is why for informed buyers Ping and innovation focused small companies win.