Digital Snake Oil
The threats from cyber attacks at all levels has unleashed a flurry of product development and technology solutions to the cybersecurity market. However, unlike other sectors there is no “true cyber market” because of the close connection between cyber and Internet Technology (IT). A lot of companies still budget products and services as a part of the IT programs and not a part of corporate risk management strategies.
The problem with this is as spending increases for cyber, the growth makes it appear the IT budget is not proportional to other critical parts of company operations. The MBA in the ivory tower eventually sees an overspend on IT and cuts the budget. This is just one issue we have encountered in trying to put a secure digital overlay on technology systems that make them secure. It exemplifies how cybersecurity is viewed very differently across environments and is thus hard to coordinate at a national level; let alone at the local level.
Now, these issues are exacerbated by the fact most executives and citizens in general lack knowledge to understand the value they receive from a technology security purchase. The vendors don’t really help with their “sell now” their approach. They seem to have forgotten that education is a key to building a culture of cybersecurity.
Unfortunately, the education of customers and users has not been a part of the equation that sums up the real threats in the cyber market. Most people truly don’t understand what is at risk. This approach by vendors is shortsighted because after a while a purchaser may drop the product or service because they never understood the true value.
But, maybe the lack of cybersecurity education by vendors is not by accident. I attended the RSA Conference held just last week in San Francisco, as it has been for decades. RSA is the largest cybersecurity conference in the world and has an expo floor that is plain tiring. Every company you know is on display as well as those that have launched in the last year or so. RSA showcases products, services and perspectives. However, one thing it does not do is “out” underperforming products and services. Especially those that are ineffective or outdated. A person would only need to spend 10 minutes on the expo floor to see the growth in the number of products and the similarities in what each vendor is claiming. Eventually, the voices sound like sheer madness as the vulnerabilities, threats and consequences continue to grow daily.
With all that RSA has to offer, its greatest gift to our society is for us to see how ridiculous our quest for cyber resilience has become. A lot of smart people attend the conference and network throughout the week. Yet, we are not really closer to getting the beat on hackers. The hacker communities are growing and ours are waning because we don’t trust each other. It appears our real focus is on market value and not on market sustainability. Even when a product leaves potential client vulnerable it is a small factor in decisions related to market delivery. Not surprisingly, the goal of new products and services are to eventually spur acquisition, or an IPO.
With all of this, there is no more confidence in our ability to limit cyber-attacks across the nation or for individuals. Even as the purchasing of cybersecurity products and services increase, we might be building a house of cards decreasing network and personal protections. Mean, public wi-fi and well other commonly used systems are more vulnerable than ever. The ability to recover from cyber disruption for most people and neighborhoods means that a loss of electrical power will cripple them. So, as the market grows the false confidence it creates may be the death of us or at least we will wish we were dead.
The truth is powerful and sometimes scary. However, the truth leads us to opportunities to make changes in approaches yielding better results. More of the same makes some people rich now; which is what most vendors care about.
That’s okay, I guess. Afterall. we do live in a capitalistic society. This issue is that people are not armed to fightback or make demands that would improve the products. The lack of demands on vendors allows them to make claims and tell the customer what the customer needs, unlike in other markets.
If this dance continues the number of dollars flowing to creative cyber companies will increase. The downside is that the struggle for companies with less creative marketing, but more effective solutions, will continue. It is not just that business who is losing. We all take a loss.
Ultimately, we will need methods to out technologies and vendors who are delivering a “cost” and not a solution to our very real cyber conundrum. More people are being personally hurt by cyber related attacks and the lack of protections or solutions for them signals the hackers are on a roll. Our cyber maturity will require leadership who are ready to help companies avoid the snake oil. Market growth will ironically come from vendors educating customers who are better prepared to demand better solutions.
Michael A. Echols (Mike), is the CEO of Max Cybersecurity LLC. He launched the company after 7 years at the Department of Homeland Security (DHS). In 2015, Mr. Echols became the White House point person for the rollout of Presidential Executive Order 13691 – Promoting Private Sector Cyber Information Sharing.