"Effective Security is about Solving problems, Not Chasing Hype..."
There is a term currently permeating the security industry that in my opinion distracts everyone from the larger goals at hand of making networks safer, mitigating threats and protecting critical data. The term is hype. While drawing attention to important issues and educating user bases to be more aware of potential threats is always a good thing, crossing the line to overhyping potential threats in order to make you sound relevant can cast a dark shadow on the industry as a whole.
As we have covered in prior articles, and depending on which industry analyst stats you choose to believe, there is between $30 and $60 billion dollars spent on cyber security hardware, software and services each year. However, most CISOs would have a hard time making the case to their CEO or Board that they are appreciably safer today than they were a year ago. In short, our industry has a bit of a credibility problem in many circles and much of that blame can be traced back to an overabundance of hype.
Unlike many of our favorite athletes or politicians, we won’t take the tack of blaming the media for this phenomenon in this space. It is, after all, we in the industry who continue to feed the beast and perpetuate the story. There have been several examples of this over the past couple of years, the doomsday-type threats that capture the minds and attention of the media and their audiences. But in most cases, they simply turn out to be another case of sensationalism that never materializes. One such occurrence this past summer that I recall vividly was the DNS Changer threat.
As a reminder, this referred to the FBI-controlled DNS servers that replaced the malicious versions seized as part of “Operation Ghost Click.” As part of this operation, more than 100 servers at data centers throughout the United States masquerading as legitimate DNS servers were confiscated. The fear was that shutting down these servers would lead to nearly half a million computers losing Internet connectivity. Once again, that fear turned out to be unfounded, but drove security news cycles for several days/weeks around the potential event.
I was inspired to write a short blog on the subject at the time because I felt that these types of threats were becoming a big problem for our industry. It appeared as below on our corporate site in July of 2012:
Effective Security is about Solving problems, Not Chasing Hype
It had all the makings of sexy security story, a catchy name, international cyber criminals, the FBI, and the potential for thousands to be cut off from the Internet service they depend on. Yet in the end, the DNS Changer became just another story that never materialized. Security can be a fickle industry at times. Even the most experienced and focused professionals can become distracted by hype and lose sight of what is really important, protecting the organizations’ most vital assets. It’s easy to see why this can happen, stories like Flame, Zeus and Stuxnet tend to dominate the headlines and create a level of paranoia that can be hard to ignore.
However, if you really want to ensure that you are employing effective security measures, focus less on the hype and more on what your organization has to lose. By being more predictive in your approach to security you can better allocate resources to identify and manage the real threats to your network. While it may not have been Y2K all over again, yesterday was a good reminder that time spent chasing hype cycles is time away from mission critical projects that actually make a difference to your business.
The message has not changed during the past nine months. Unless you are part of our nation’s critical infrastructure, running a financial services network, a nuclear plant, or an energy company in the Middle East, allocating resources to these high-profile threats is an exercise in diminishing returns. Organizations would be far better off ignoring the hype and putting resources towards identifying and mitigating key vulnerabilities and protecting the company’s most critical assets.
While I can understand why these types of stories will continue to garner headlines, as a security professional, I’m more concerned with achieving results. The reality remains that 90-plus percent of companies are more at risk from weak password security, accidental data loss, and poor security practices by their employees than they are from one of these sophisticated attacks. By ignoring the frenzy of the next big thing and working to identify areas of potential loss, companies can most effectively apply their security resources.
Locking your doors and windows is not a sexy security story, but any police department in the country will tell you that this is a more effective security practice than installing a fancy alarm system. The same goes for cyber security. Stop focusing on the shiny new toys and hype and concentrate on the basics. If you do, becoming more secure than last year will become a reality.