Recently The Register, a site mainly frequented by IT and security pros (including moi), published this:
The ‘reason’ they think you missed is the hike in sales Snowden has no doubt prompted for many security firms…and that’s why I’m writing this. A reaction to the way that plays into the hands of stereotypes: Money grabbing snake oil salespeople the lot of us…
…except we’re mostly not.
But El Reg know their readership, so the content is (of course), tailored for them. A community heavily loaded with practitioners who are mostly as cynical as you are about vendor motives. That ‘them and us’ intra-trade division is very real.
As a result, some of you will be thinking this is a complete waste of patronising or naive time. Yet others are no doubt shouting “But it’s true!”…and yes, in some cases, it is. But it’s far, far, more subtle than reported, and some statements play to embedded perceptions that take little encouragement to grow into certainties.
Profiting from misery
There is a stark division in the trade between security sales folk and security practitioners. And we are good at tarring all the closers with the same brush. But many, many less brutally-ridden good guys, are working with specialist colleagues to avoid the FUD and carefully match what they sell to real client needs.
Behind the scenes a tiny minority will guiltlessly do a lazy or knowingly bad job of security. Then there are the rest: Folk totally committed to building and providing worthwhile things. Folk who frequently fight, out of sight, on your behalf.
A couple of illustrative examples: A digital marketing specialist responding to this from the 2014 Trustwave Security Pressures Report:
80% IT pros felt pressure to deliver insecure IT solutions
I see this all the time with my developer friends. They say the trend is even worse when it comes to mobile applications because monetization means they can stay in business. Security isn’t an after thought. It’s a non thought. They simply don’t care
That chap (commenting on LinkedIn), perhaps risking his career to highlight the problems faced by technical colleagues trying to do the right thing.
And far more recently, on Norse Corp’s very public implosion:
“I think they just went to market with this a couple of years too soon,” said one former Norse employee who left on his own a few months prior to the January 2016 layoffs, in part because of concerns about the validity of the data that the company was using to justify some of its public threat reports. “It wasn’t all there, and I worried that they were finding what they wanted to find in the data” from KrebsOnSecurity 16th Jan 2016
I’m not asking you to feel sorry for big vendors with their sometimes requirement-blind push for sales, but the ‘security biz’ isn’t just one big salesperson populated mass.
Like it or loathe it, business is business
Even if firms have ridden the Snowden wave to greater profits, is that a really a bad thing? If you work in anything other than a non-profit, you can’t really afford to turn your nose up at marketing opportunities served up on a long-term, globally-reported platter.
Does that automatically make what’s being sold worthless and overpriced?
No it doesn’t
Are you blackmailing or selling?
So there are the big marketing machines that sometimes overdo EdFUD-drenched sales pitches, but there are also the far smaller guys. Smaller guys like security researchers. Independents and go-betweens like BugCrowd working to bring security vulnerabilities to the attention of vendors and tech dependent companies. It’s one of the most fraught relationships in the security universe because of the perceived fine line between disclosure and blackmail and the finer judicially interpreted line between legal and illegal research.
Blackmail, to many, might sound like too strong a word, but some responses to security researchers boldly underline that fear driven response.
Do most security researchers responsibly investigate and then disclose problems?
Yes they do
Are there some folk who overstep legal bounds with research and disclosure of vulnerability details or data?
Yes there are
Have some criminals hidden behind research to extort firms with threats of disclosure?
Yes they have
Do people on the notification receiving end always know how to tell the difference?
No they don’t
And we don’t help folk to tell the difference by chucking fuel from any direction onto a silo-reinforcing and division-hardening fire.
So it’s not The Register I’m grumpy at. It’s the sometimes careless language and imagery that ‘the crew’, in safe social media spaces, takes with an appropriate pinch of salt. Language and imagery that can also serve to water rotten seeds already planted in the minds of people we need to win over.
Ed Snowden: Hero, villain, or just catalyst
Did Snowden’s revelations lead to far greater transparency about the privacy implications and oversight issues with pre-existing surveillance?
Has he provoked some individuals, corporates, and custodians of critical infrastructure to wake up to the very real threats to data and systems?
Has that put more profit into the pockets of security vendors?
But why is that important enough to be a story? It might be Ed, Sony, OPM, Ashley Madison, AppleVsFBI or Cyber Barbie. It’s not what prompts awareness, it’s the integrity with which that’s handled by marketeers, and most of all, more than anything else, it’s about the value on offer.
That’s what we owe folk. Instead of evil sales folk stories, stuff that helps people separate what they need, from what they’re manipulated to want. Stuff that differentiates a great quality person or solution, from value-lite blingy, pingy things. Stuff that gives them confidence in good folk reporting vulnerabilities.
That’s why I paused, clicked, read, frowned and decided to blog about it.