Advice Ruins Lives in Cybersecurity
Advice has a utopian and inaccurate public image of humans helping humans in a passive yet supportive way. Advice is the old, wise person in movies preaching morality because it’s more obvious that way. It’s the parental wisdom in bedtime stories that teaches young kids to be the hero. It’s the analyst reports overworked business people buy to save time from doing their own research. But the reality is that advice is so not the moral compass of our hearts and minds.
“Just hear me out,” they say.
“It can’t hurt to listen,” you think.
It can. It does. Even if you think it’s okay because you will just reject bad advice, you’re wrong. But just hearing advice changes you. It is actually the hysteresis of our decision-making ability even if you choose not to follow it.
Advice is not benign. Something repeated often and by many will begin to sound true whether or not it is. Something that has rhyme or rhythm sounds more true even if it isn’t. Something we read in the inverted pyramid format sounds more true. Something classified as a report sounds more true. And even if we don’t agree with it, we remember these things and apply them later as we need them to make sense of what we want.
What am I saying? Advice is addictive. Advice fosters dependencies. Advice kills. But I’m getting ahead of myself.
It’s hard to do your own research for an answer in security. It’s hard because when it comes to information security and cybersecurity and network security and all the other security out there, there’s a lot of university research papers that are hard to read with math symbols and squiggly lines and pages of how the test was set up. Even worse because many of these research papers don’t state clearly at the end if it was good or bad. It’s not clear. And that sucks.
Welcome the Research Advising firms. There’s many. Not counting the many universities who skew their research to where the money falls, there’s Gartner, Carnegie, RAND, CATO, Brookings, Ponemon, and more. They do that one thing that makes life easier for the busy business person- they tell them if that cybersecurity solution is good or bad. And that’s a problem you didn’t know you had.
Let’s be clear, I’m not saying these researchers spend the day petting their fluffy, white cats and making evil plans. Not all of them. I have great respect for many of the researchers who work at these places. I have a problem with the places. And you should too. Because they give single-purpose advice.
Advice is the kind of thing that works best when backed by details of methods which are reproducible. Product X is better than Product Y because we say so isn’t exactly reproducible. Making a chart to show me where it’s better isn’t reproducible. Telling me how you tested it isn’t reproducible. And if you’re thinking, “But I don’t have time to reproduce the test results so just tell me if I should buy it!” then don’t worry because you’re like everyone else reading this. And you know what, nobody HAS the time — you MAKE the time. If it’s important like your kid’s ballet recital, your Wednesday poker game, your wedding, or the safety and security of all the people from employees to clients that you were specifically hired to protect then you make the time. Because it’s important.
Yes, easier said than done. I get it. I was once human too and had these problems. And these research advising firms know that you don’t have the time. That’s why they’re there to help you. Or are they?
The research and advisory business isn’t a “for the benefit of humanity” shop. They earn billions. With a B. Just for telling people what they should buy. Seems odd though, doesn’t it? Looking at 2016 numbers, one analyst firm made almost $2.5 billion. In a year. Selling reports to people who don’t have time to make decisions. Compare that to large security companies who mainly sell products, a lot of products, not information, and don’t make as much profit in a year. So how do they pull this off with research, consulting, and report writing? To be fair, compared to big consultancies, two and a half billion is actually on the low end. Still, advising obviously pays. But I still wonder how?
But we can’t compare them to consultancies which make a lot of their money in technical implementations, product solutions, and the reselling of products. Research advisory firms don’t. They test, report, and advise, supposedly like Consumer Reports. This testing and research arm of Consumers Union publishes a magazine where they test and rate a whole variety of products and then advise. It has a 3.8 million circulation and a staunch stance on independent verification over its inception in 1936. They’ve had a few stray conflicts here and there but they’ve also gone to court to make sure no company can use their positive reviews in their marketing to minimize the possibility of employees, or the company itself, being paid by product makers to place them in a favorable light. Doing so earns them a small fraction, in the millions, of what a research advising firm in Internet Technology and cybersecurity does. There’s many reasons why this might be but almost none of them are going to focus on bad research and testing. So what are they missing to earn the big bucks?
Now before anyone freaks out and I’m attacked by swarms of angry CIOs in a frenzy, they can skeletonize an infrastructure in seconds ya know, let’s think about this rationally. All I’m saying is that the companies you rely on to make your decisions for you should be as honest with you as possible. Part of that is in admitting that products don’t solve all our cybersecurity problems. Not every solution is a software or a device. Sometimes it’s effort. Which is hard to admit when they take money to test products and take money to list products and then let their customers redistribute their research which puts them in a positive light. That creates something called “conflict of interest” and that’s something you should freak out about. I think. But I don’t know, I’m no Freakingologist.
Look, if you’re paying to get the answers to your cybersecurity problems then you already know there’s no easy answer. There is no secret to success that comes with them telling you they’ve discovered the next, great, security solution. Because it doesn’t exist. And it definitely won’t exist in the marketing categories they’ve created to set pricing levels for company test participation. And do you know why that is? It’s because the next great security solution will not be something that will just drop from the blue but be the thing that has matured to the point where it’s safely no longer a security device but part of every device.
Keep that in mind when you read the next cybersecurity advisory company report and try to make sense of its test results.
But we need the advice, you say. The tech field moves too fast for us to keep up, you say, we need help! I get it. But this is happening because 1) you’re wrong in how you approach security and 2) you’re so very wrong in what you think security is. Yes, tech moves fast. Today we have Internet of Things. Tomorrow we’ll have Internet of Humans. Who knows? But you know what hasn’t changed at all? Security. It’s still the same effort. It’s still the same process. And you’re in luck because the research in understanding it has pretty much ground to a halt because we got all these products now! Sure, they’re mostly doing some variation of authentication or encryption but really, when you have the perfect product and they work 100% perfectly and flawlessly you won’t ever need anything else. At least that’s what your decision-making crutch in the form of an analysis report will tell you.
But it’s not true. Trying to solve a security problem by layering a security stack of more products is like trying to help a drowning victim by throwing water on them. While security products have a place in any infrastructure which product greatly depends on the network environment, communications strategy, and the business processes and not which system is the fastest, greenest, or sexiest. It’s about what you need. As all tools should be evaluated.
Once upon a time I was asked to help a company pick a VPN. They chose a few vendors initially picked because they scored high by a big research advising firm to save time. Those vendors come in and I silently (and painfully) listened to each sales pitch. I did things like wonder how NMAP scans of the device proved it couldn’t be penetrated or how the larger size SSL certificate actually assured the login couldn’t be brute-forced but I didn’t want to disrupt the presentation flow. In the end I wondered how these devices made the top of the list. So we scheduled to have them all installed and configured by the vendor in the company on a trial basis so we could use it the way it was meant to be used BY THIS COMPANY. It also gave me a chance to test the device in various ways. Afterwards I ranked them on how well they did with the companies stuff based on speed, security, and price. In the end we went with none of them because they were all the wrong fit FOR THIS COMPANY. Eventually we got one that worked for the company after searching and talking to various distributors. It didn’t rank on any list but it was the right tool for the job. And there’s a moral here.
Advising is telling people what’s right for them in their situation and needs. Advising is LISTENING to the people who need the advice, people who aren’t you. Advising isn’t pushing one way of doing things, like using products to solve problems, and ranking them according to some arbitrary scale for the people to pick from. There is a word for that and it’s called preaching and evangelizing, not advising. Ok, that’s two words. So there’s two words for it, move on already.
In the world of cybersecurity, you the company who needs it, are the sugar daddies and sugar mommies looking for the next hottest thing. And the new security solution models vying to be the next hottest thing are paying for the chance to be seen first and in the best light. And the research advising firm is in the middle taking money to make it happen. What’s the word for that?
But none of that’s the moral. That was just me ranting. The moral is that you need to think for yourself. You need to know what’s right for you before you start to look. If you don’t know what you need then you’re not ready to buy anything yet. So don’t be listening to any advice just yet on what products you should buy. Because it will shape your opinion before you should have one. That will leave you with cybersecurity that may not be right for you and that’s something you’ll rue some day. Because advice you’re not ready for ruins lives. And that’s my moral here. Advice can ruin lives. #ThinkBeyond.
