Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Hype: Security’s Four Letter Word

“Effective Security is about Solving problems, Not Chasing Hype…”

“Effective Security is about Solving problems, Not Chasing Hype…”

There is a term currently permeating the security industry that in my opinion distracts everyone from the larger goals at hand of making networks safer, mitigating threats and protecting critical data. The term is hype. While drawing attention to important issues and educating user bases to be more aware of potential threats is always a good thing, crossing the line to overhyping potential threats in order to make you sound relevant can cast a dark shadow on the industry as a whole.

As we have covered in prior articles, and depending on which industry analyst stats you choose to believe, there is between $30 and $60 billion dollars spent on cyber security hardware, software and services each year. However, most CISOs would have a hard time making the case to their CEO or Board that they are appreciably safer today than they were a year ago. In short, our industry has a bit of a credibility problem in many circles and much of that blame can be traced back to an overabundance of hype.

Hype and FUDUnlike many of our favorite athletes or politicians, we won’t take the tack of blaming the media for this phenomenon in this space. It is, after all, we in the industry who continue to feed the beast and perpetuate the story. There have been several examples of this over the past couple of years, the doomsday-type threats that capture the minds and attention of the media and their audiences. But in most cases, they simply turn out to be another case of sensationalism that never materializes. One such occurrence this past summer that I recall vividly was the DNS Changer threat.

As a reminder, this referred to the FBI-controlled DNS servers that replaced the malicious versions seized as part of “Operation Ghost Click.” As part of this operation, more than 100 servers at data centers throughout the United States masquerading as legitimate DNS servers were confiscated. The fear was that shutting down these servers would lead to nearly half a million computers losing Internet connectivity. Once again, that fear turned out to be unfounded, but drove security news cycles for several days/weeks around the potential event.

I was inspired to write a short blog on the subject at the time because I felt that these types of threats were becoming a big problem for our industry. It appeared as below on our corporate site in July of 2012:

Effective Security is about Solving problems, Not Chasing Hype


It had all the makings of sexy security story, a catchy name, international cyber criminals, the FBI, and the potential for thousands to be cut off from the Internet service they depend on. Yet in the end, the DNS Changer became just another story that never materialized. Security can be a fickle industry at times. Even the most experienced and focused professionals can become distracted by hype and lose sight of what is really important, protecting the organizations’ most vital assets. It’s easy to see why this can happen, stories like Flame, Zeus and Stuxnet tend to dominate the headlines and create a level of paranoia that can be hard to ignore.


Advertisement. Scroll to continue reading.

However, if you really want to ensure that you are employing effective security measures, focus less on the hype and more on what your organization has to lose. By being more predictive in your approach to security you can better allocate resources to identify and manage the real threats to your network. While it may not have been Y2K all over again, yesterday was a good reminder that time spent chasing hype cycles is time away from mission critical projects that actually make a difference to your business.

The message has not changed during the past nine months. Unless you are part of our nation’s critical infrastructure, running a financial services network, a nuclear plant, or an energy company in the Middle East, allocating resources to these high-profile threats is an exercise in diminishing returns. Organizations would be far better off ignoring the hype and putting resources towards identifying and mitigating key vulnerabilities and protecting the company’s most critical assets.

While I can understand why these types of stories will continue to garner headlines, as a security professional, I’m more concerned with achieving results. The reality remains that 90-plus percent of companies are more at risk from weak password security, accidental data loss, and poor security practices by their employees than they are from one of these sophisticated attacks. By ignoring the frenzy of the next big thing and working to identify areas of potential loss, companies can most effectively apply their security resources.

Locking your doors and windows is not a sexy security story, but any police department in the country will tell you that this is a more effective security practice than installing a fancy alarm system. The same goes for cyber security. Stop focusing on the shiny new toys and hype and concentrate on the basics. If you do, becoming more secure than last year will become a reality.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.