Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Hype: Security’s Four Letter Word

“Effective Security is about Solving problems, Not Chasing Hype…”

“Effective Security is about Solving problems, Not Chasing Hype…”

There is a term currently permeating the security industry that in my opinion distracts everyone from the larger goals at hand of making networks safer, mitigating threats and protecting critical data. The term is hype. While drawing attention to important issues and educating user bases to be more aware of potential threats is always a good thing, crossing the line to overhyping potential threats in order to make you sound relevant can cast a dark shadow on the industry as a whole.

As we have covered in prior articles, and depending on which industry analyst stats you choose to believe, there is between $30 and $60 billion dollars spent on cyber security hardware, software and services each year. However, most CISOs would have a hard time making the case to their CEO or Board that they are appreciably safer today than they were a year ago. In short, our industry has a bit of a credibility problem in many circles and much of that blame can be traced back to an overabundance of hype.

Hype and FUDUnlike many of our favorite athletes or politicians, we won’t take the tack of blaming the media for this phenomenon in this space. It is, after all, we in the industry who continue to feed the beast and perpetuate the story. There have been several examples of this over the past couple of years, the doomsday-type threats that capture the minds and attention of the media and their audiences. But in most cases, they simply turn out to be another case of sensationalism that never materializes. One such occurrence this past summer that I recall vividly was the DNS Changer threat.

As a reminder, this referred to the FBI-controlled DNS servers that replaced the malicious versions seized as part of “Operation Ghost Click.” As part of this operation, more than 100 servers at data centers throughout the United States masquerading as legitimate DNS servers were confiscated. The fear was that shutting down these servers would lead to nearly half a million computers losing Internet connectivity. Once again, that fear turned out to be unfounded, but drove security news cycles for several days/weeks around the potential event.

I was inspired to write a short blog on the subject at the time because I felt that these types of threats were becoming a big problem for our industry. It appeared as below on our corporate site in July of 2012:

Effective Security is about Solving problems, Not Chasing Hype


It had all the makings of sexy security story, a catchy name, international cyber criminals, the FBI, and the potential for thousands to be cut off from the Internet service they depend on. Yet in the end, the DNS Changer became just another story that never materialized. Security can be a fickle industry at times. Even the most experienced and focused professionals can become distracted by hype and lose sight of what is really important, protecting the organizations’ most vital assets. It’s easy to see why this can happen, stories like Flame, Zeus and Stuxnet tend to dominate the headlines and create a level of paranoia that can be hard to ignore.


However, if you really want to ensure that you are employing effective security measures, focus less on the hype and more on what your organization has to lose. By being more predictive in your approach to security you can better allocate resources to identify and manage the real threats to your network. While it may not have been Y2K all over again, yesterday was a good reminder that time spent chasing hype cycles is time away from mission critical projects that actually make a difference to your business.

The message has not changed during the past nine months. Unless you are part of our nation’s critical infrastructure, running a financial services network, a nuclear plant, or an energy company in the Middle East, allocating resources to these high-profile threats is an exercise in diminishing returns. Organizations would be far better off ignoring the hype and putting resources towards identifying and mitigating key vulnerabilities and protecting the company’s most critical assets.

While I can understand why these types of stories will continue to garner headlines, as a security professional, I’m more concerned with achieving results. The reality remains that 90-plus percent of companies are more at risk from weak password security, accidental data loss, and poor security practices by their employees than they are from one of these sophisticated attacks. By ignoring the frenzy of the next big thing and working to identify areas of potential loss, companies can most effectively apply their security resources.

Locking your doors and windows is not a sexy security story, but any police department in the country will tell you that this is a more effective security practice than installing a fancy alarm system. The same goes for cyber security. Stop focusing on the shiny new toys and hype and concentrate on the basics. If you do, becoming more secure than last year will become a reality.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.