Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Hype: Security’s Four Letter Word

“Effective Security is about Solving problems, Not Chasing Hype…”

“Effective Security is about Solving problems, Not Chasing Hype…”

There is a term currently permeating the security industry that in my opinion distracts everyone from the larger goals at hand of making networks safer, mitigating threats and protecting critical data. The term is hype. While drawing attention to important issues and educating user bases to be more aware of potential threats is always a good thing, crossing the line to overhyping potential threats in order to make you sound relevant can cast a dark shadow on the industry as a whole.

As we have covered in prior articles, and depending on which industry analyst stats you choose to believe, there is between $30 and $60 billion dollars spent on cyber security hardware, software and services each year. However, most CISOs would have a hard time making the case to their CEO or Board that they are appreciably safer today than they were a year ago. In short, our industry has a bit of a credibility problem in many circles and much of that blame can be traced back to an overabundance of hype.

Hype and FUDUnlike many of our favorite athletes or politicians, we won’t take the tack of blaming the media for this phenomenon in this space. It is, after all, we in the industry who continue to feed the beast and perpetuate the story. There have been several examples of this over the past couple of years, the doomsday-type threats that capture the minds and attention of the media and their audiences. But in most cases, they simply turn out to be another case of sensationalism that never materializes. One such occurrence this past summer that I recall vividly was the DNS Changer threat.

As a reminder, this referred to the FBI-controlled DNS servers that replaced the malicious versions seized as part of “Operation Ghost Click.” As part of this operation, more than 100 servers at data centers throughout the United States masquerading as legitimate DNS servers were confiscated. The fear was that shutting down these servers would lead to nearly half a million computers losing Internet connectivity. Once again, that fear turned out to be unfounded, but drove security news cycles for several days/weeks around the potential event.

I was inspired to write a short blog on the subject at the time because I felt that these types of threats were becoming a big problem for our industry. It appeared as below on our corporate site in July of 2012:

Effective Security is about Solving problems, Not Chasing Hype

It had all the makings of sexy security story, a catchy name, international cyber criminals, the FBI, and the potential for thousands to be cut off from the Internet service they depend on. Yet in the end, the DNS Changer became just another story that never materialized. Security can be a fickle industry at times. Even the most experienced and focused professionals can become distracted by hype and lose sight of what is really important, protecting the organizations’ most vital assets. It’s easy to see why this can happen, stories like Flame, Zeus and Stuxnet tend to dominate the headlines and create a level of paranoia that can be hard to ignore.

However, if you really want to ensure that you are employing effective security measures, focus less on the hype and more on what your organization has to lose. By being more predictive in your approach to security you can better allocate resources to identify and manage the real threats to your network. While it may not have been Y2K all over again, yesterday was a good reminder that time spent chasing hype cycles is time away from mission critical projects that actually make a difference to your business.

The message has not changed during the past nine months. Unless you are part of our nation’s critical infrastructure, running a financial services network, a nuclear plant, or an energy company in the Middle East, allocating resources to these high-profile threats is an exercise in diminishing returns. Organizations would be far better off ignoring the hype and putting resources towards identifying and mitigating key vulnerabilities and protecting the company’s most critical assets.

While I can understand why these types of stories will continue to garner headlines, as a security professional, I’m more concerned with achieving results. The reality remains that 90-plus percent of companies are more at risk from weak password security, accidental data loss, and poor security practices by their employees than they are from one of these sophisticated attacks. By ignoring the frenzy of the next big thing and working to identify areas of potential loss, companies can most effectively apply their security resources.

Locking your doors and windows is not a sexy security story, but any police department in the country will tell you that this is a more effective security practice than installing a fancy alarm system. The same goes for cyber security. Stop focusing on the shiny new toys and hype and concentrate on the basics. If you do, becoming more secure than last year will become a reality.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Twenty-one cybersecurity-related M&A deals were announced in December 2022.