Beware Cybersecurity Charlatanism

Cybersecurity headlines have a new angle lately.  Aside from discussions about the OPM breach and Chinese cyber-espionage, there are also lots of stories about 52-week high stock prices of cybersecurity darlings like CyberArk, FireEye, Palo Alto Networks, and Splunk.  I’ve also read reports about imminent IPOs and investment firms that created several new cybersecurity ETFs. 

For those of us old enough to live through the Internet boom (i.e. like yours truly), this all has a familiar ring to it.  And just like the time when on-line pet food companies had multi-billion dollar valuations, the cybersecurity industry is starting to sound a bit like a sock puppet.  In other words, the intersection of cybersecurity and big money has led to the rise of cybersecurity charlatanism. 

What do I mean?  Over the past few years, lots of well-connected, well-funded and highly-visible people have started waving their arms around, making all kinds of bold, brash, and boisterous statements about the state of cybersecurity as well as all types of silver-bullet cybersecurity solutions.

Here are a few examples of cybersecurity charlatanism at work:

• The industry blame game.  This was a popular train of thought at the RSA Security Conference and it continues to gain steam.  Simply stated, this argument suggests that cybersecurity vendors have not developed the right products and services to mitigate risk or detect and respond to problems.  Some suggest that the industry does this on purpose to drive sales.  The conclusion here is that something new is needed that swims against the tide of the cybersecurity industry at large.  While there is a nugget of truth to this argument it has been taken to an extreme lately.  Besides, anyone ever hear the term, ‘caveat emptor?’
• Buzz word bingo solutions.  This one is a bit of an addendum to the blame game as it poses some type of a solution based upon techno-babble components.  What’s needed to address cyber-attacks is more big data analytics!  We need to do machine learning for better anomaly detection!  Threat intelligence sharing will democratize cybersecurity protection and make everyone stronger!  These bold statements make great headlines and all of these technologies can bring incremental improvements, but no one seems to get into too much detail about how they will help.
• Give up on prevention.  The pitch here is that it’s not worth investing in prevention since the bad guys can easily circumvent many security controls.  To me, this is kind of the cybersecurity analogue to the fatalist notion that we’re all going to die so you may as well live fast, die young, and be a good looking corpse.  Ask any infosec professional and they will tell you that prevention done right does work as it can filter out the noise and make it easier to detect/respond when bad things do happen. 
• Ridiculous pre-IPO valuations.  The Sand Hill Road guys are in the enviable position of telling the world how much the startups they’ve invested in are worth.  It’s also worth noting that a bunch of these guys cut their teeth in IT infrastructure and business applications but for some reason the media often seeks out their clearly self-serving, biased, and naïve opinions on the state of cybersecurity.  Of course, this all fans the flames of industry gaga, and turns $10 million point products companies into multi-hundred million dollar new new thing visionaries.  The rich get richer and the confused get more confused.
• Cybersecurity hits the campaign trail.  This may be the worst case of cybersecurity charlatanism in that people who barely know how to use email are criticizing federal cybersecurity programs and offering up meaningless platitudes in response.  For example, Republican candidate Jeb Bush believes the US should emulate Estonia, a country with a population of 1.3 million people and a GDP of about $25 billion USD.  Former HP CEO Carly Fiorina is playing to the party base by suggesting that the DOD should have oversight over civilian cybersecurity, knowing full well that this suggestion would never see the light of day in Washington.  Not to be outdone, Democrat Hillary Clinton is quick to point a finger at China but hasn’t stated how cybersecurity policies would change in a Clinton 45 administration.  Fasten your seat belts as we are in for another 17 months of this misinformed and misguided banter.

Cybersecurity charlatanism would be laughable if it weren’t so dangerous.  While we really need clear and accurate cybersecurity communications, we are getting soundbites, marketing dribble, and completely inaccurate BS further confusing everything.  Remember how Wall Street sold the world on mortgage-backed securities?  Well the same thing is happening in cybersecurity.  Yeah, it’s not big enough to cause a financial meltdown but it could really mess with our money and personal data.

A growing list of people and companies sell and make money from cybersecurity products – VCs, investment bankers, entrepreneurs, etc.  This is exactly why cybersecurity charlatanism is gaining momentum.  But as the wonderful cybersecurity saying goes, ‘cybersecurity is a process, not a product.’  Cybersecurity sellers that understand this truism will introduce products that align with and actually improve existing cybersecurity processes adding tremendous value.  Everyone else is in it for the quick buck and that’s a real problem.  We are talking about national security, privacy, and people’s lives here – not just sock puppet-like ten-bangers and IPOs.