InfoSec

Snowden: Greasing The Wheels Of An Unprincipled Cybersecurity Trade?

Recently The Register, a site mainly frequented by IT and security pros (including moi), published this:

Snowden is a hero to the security biz – but not for the reason you’d expect

The ‘reason’ they think you missed is the hike in sales Snowden has no doubt prompted for many security firms…and that’s why I’m writing this. A reaction to the way that plays into the hands of stereotypes: Money grabbing snake oil salespeople the lot of us…

…except we’re mostly not.

But El Reg know their readership, so the content is (of course), tailored for them. A community heavily loaded with practitioners who are mostly as cynical as you are about vendor motives. That ‘them and us’ intra-trade division is very real.

As a result, some of you will be thinking this is a complete waste of patronising or naive time. Yet others are no doubt shouting “But it’s true!”…and yes, in some cases, it is. But it’s far, far, more subtle than reported, and some statements play to embedded perceptions that take little encouragement to grow into certainties.

Profiting from misery

There is a stark division in the trade between security sales folk and security practitioners. And we are good at tarring all the closers with the same brush. But many, many less brutally-ridden good guys, are working with specialist colleagues to avoid the FUD and carefully match what they sell to real client needs.

Behind the scenes a tiny minority will guiltlessly do a lazy or knowingly bad job of security. Then there are the rest: Folk totally committed to building and providing worthwhile things. Folk who frequently fight, out of sight, on your behalf.

A couple of illustrative examples: A digital marketing specialist responding to this from the 2014 Trustwave Security Pressures Report:

80% IT pros felt pressure to deliver insecure IT solutions

I see this all the time with my developer friends. They say the trend is even worse when it comes to mobile applications because monetization means they can stay in business. Security isn’t an after thought. It’s a non thought. They simply don’t care

That chap (commenting on LinkedIn), perhaps risking his career to highlight the problems faced by technical colleagues trying to do the right thing.

And far more recently, on Norse Corp’s very public implosion:

“I think they just went to market with this a couple of years too soon,” said one former Norse employee who left on his own a few months prior to the January 2016 layoffs, in part because of concerns about the validity of the data that the company was using to justify some of its public threat reports. “It wasn’t all there, and I worried that they were finding what they wanted to find in the data” from KrebsOnSecurity 16th Jan 2016

I’m not asking you to feel sorry for big vendors with their sometimes requirement-blind push for sales, but the ‘security biz’ isn’t just one big salesperson populated mass.

Like it or loathe it, business is business

Even if firms have ridden the Snowden wave to greater profits, is that a really a bad thing? If you work in anything other than a non-profit, you can’t really afford to turn your nose up at marketing opportunities served up on a long-term, globally-reported platter.

Does that automatically make what’s being sold worthless and overpriced?

No it doesn’t

Are you blackmailing or selling?

So there are the big marketing machines that sometimes overdo EdFUD-drenched sales pitches, but there are also the far smaller guys. Smaller guys like security researchers. Independents and go-betweens like BugCrowd working to bring security vulnerabilities to the attention of vendors and tech dependent companies. It’s one of the most fraught relationships in the security universe because of the perceived fine line between disclosure and blackmail and the finer judicially interpreted line between legal and illegal research.

Blackmail, to many, might sound like too strong a word, but some responses to security researchers boldly underline that fear driven response.

Do most security researchers responsibly investigate and then disclose problems?

Yes they do

Are there some folk who overstep legal bounds with research and disclosure of vulnerability details or data?

Yes there are

Have some criminals hidden behind research to extort firms with threats of disclosure?

Yes they have

Do people on the notification receiving end always know how to tell the difference?

No they don’t

And we don’t help folk to tell the difference by chucking fuel from any direction onto a silo-reinforcing and division-hardening fire.

So it’s not The Register I’m grumpy at. It’s the sometimes careless language and imagery that ‘the crew’, in safe social media spaces, takes with an appropriate pinch of salt. Language and imagery that can also serve to water rotten seeds already planted in the minds of people we need to win over.

Ed Snowden: Hero, villain, or just catalyst

Did Snowden’s revelations lead to far greater transparency about the privacy implications and oversight issues with pre-existing surveillance?

Definitely

Has he provoked some individuals, corporates, and custodians of critical infrastructure to wake up to the very real threats to data and systems?

No doubt

Has that put more profit into the pockets of security vendors?

Hell yes!

But why is that important enough to be a story? It might be Ed, Sony, OPM, Ashley Madison, AppleVsFBI or Cyber Barbie. It’s not what prompts awareness, it’s the integrity with which that’s handled by marketeers, and most of all, more than anything else, it’s about the value on offer.

That’s what we owe folk. Instead of evil sales folk stories, stuff that helps people separate what they need, from what they’re manipulated to want. Stuff that differentiates a great quality  person or solution, from value-lite blingy, pingy things. Stuff that gives them confidence in good folk reporting vulnerabilities.

That’s why I paused, clicked, read, frowned and decided to blog about it.

Want to add to the discussion?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s