Walk into any major cybersecurity conference, and you’ll feel like you are walking into the trailer for a horror movie.
Scary threats and psychopathic criminals are everywhere, the vendors say, as they try to convince you that only they have the tools to keep you safe. The only thing that’s missing is the deep-voiced narrator solemnly setting the scene with three words that have come to mark every movie trailer: “In a world…”
Scare tactics have become a common feature among cybersecurity vendors, used to pump up sales and generate news coverage.
There’s a risk here: like the audience at a scary movie in which the cheap jump scares fall short, it’s likely we’re all becoming desensitized to very real threats.
So, I want to take a moment to discuss some of the tactics I see out there and some tips on how we might be able to wake up from the “Nightmare on CyberStreet”.
Pay attention to the method of an attack, not the attribution. When a big attack hits the news, security professionals attribute the attack to a specific geographic location. The attribution is then used to imply identity. For example, if an attack is traced to Eastern Europe, vendors may attribute a hack to Eastern European organized crime. But the location a hack originated from can be hard to trace, to say nothing of the huge leap from “hackers” to “organized crime.” Very little of this matters, because globally, hackers tend to use the same attack paths. From the perspective of a security professional, it’s more important to know how the attack worked than to know who did it.
Pay attention to the details. Sometimes we read stories about the theft of millions of records. But how important are those records? Names, addresses, and birth dates might be good fodder for a direct mail campaign, but alone, they aren’t the stuff that identity theft is made of. Watch for the bait and switch that pumps up the importance of a breach with raw numbers, not hard facts.
Be wary of vendor reports. When a vendor is paying for research, they get to set the agenda and can even dictate the questions that are asked. This can lead to biased, and unreliable research that describes a security issue in a way that is favorable to the vendor. That’s not to say all vendor-sponsored reports are useless, but it’s important to look for some external validation.
There’s no easy button when it comes to figuring out what is true in cybersecurity. Real security challenges exist, but it’s hard to triangulate the real challenges from the sins of omission and proportion.
So, my advice is to be a little skeptical when confronted with scary monsters and shadowy hackers. The good news is that credible vendors are starting to push back against the “FUD” or fear, uncertainty, or death that is rampant within our industry.