As always, the cyber security market is changing with startups offering new services and new companies expanding into uncharted areas of products and services.
Some of the new offerings are of an offensive nature. Others claim to be in the ‘active defense’ category, which is in essence, offensive (Agora Workshop – 2001).
It is always a positive thing to see new organizations spring up with new ideas and direction. New leadership with vision that takes them to new heights in providing preventive and proactive cyber security measures and countermeasures. Some of the new companies have superb products that can really make a difference.
Then comes the problem that puts us back into a purely economic mode. Yes, every company is in it to make a profit but many actually believe in the ethos of providing security that is truly and purely for the good of the industry. They eventually become sullied when the start to hire from the ranks of the old guard.
Mind you, the old guard is proven to taken companies financially to the next level but most always at the expense of the ethos. And yes, venture firms require the companies flip and their investors retain a hefty profit. However, always at the expense of the customer and our data.
We have seen this repeatedly in the past when companies take on new leadership or are acquired by another to be ‘integrated’ into the corporate fold. What this means is a watering down of the research performed by internal groups, an increase in costs, and never truly integrating the product, services and/or key people into the organization.
They are driven to sell and sell at all costs. Product features stagnate, services under perform. The benefactors are the investors. We the customers suffer and the security postures of all organizations plummets while adversaries relax their reverse engineering and innovation efforts since technology change at the cyber security company slows to a snail’s pace.
The adversary can spend less on penetration innovation at the same time more easily bypassing our defenses (even using our defenses as tools in their schemes).
Examples in the past have been the dependence upon what is known, signatures, and a selling of this as an absolute requirement even when they know it may cover 25% of the coverage claimed. They preach that their products are the best and offer the greatest protections. “Safe is not a privilege but a right.” “Choose your destination.” “Security Intelligence, Think Integrated.” “Summers Best Bundle.” “Secure Access for Any Device.” “Change the way you think about anti-virus.”
While they preach, we hemorrhage information. While they get ready for a merger, acquisition, IPO, or sale, our adversaries pluck every information feather from the already cooked goose. We are now seeing some of the same people coming back into the fold starting new companies that will fix every ill or lead established firms with newer ideas.
They spout the new terms as if they made them up. They claim them like a badge of honor running head long into the fray as your cyber combat leader. Yet they really have no qualifications for anything of this type. Their heritage is defensive posture. Their know-how is seeing, detecting and arresting. They do not have the experience of active defense, mitigative or retributive counter-striking or outright attacks on attributive targets.
They stir up emotions with FUD and get you to buy their products, which for a short period, may in fact work. Until the cycle starts when the right number of customers is reached, the correct revenue numbers achieved. Then the ethos of the visionaries is trampled and innovation stops. It is a cycle we have seen repeatedly.
Why do we think that the result will be different? Why do we believe that their leadership of a new or existing company will result in anything but their filling their pockets once again? Why do we continue to repeat history and act in an insane manner by buying their products, when we know that it will not lead us to fulfill the promises they make about their products and services? Why do we believe that they are suddenly endowed with the experience and know-how that they never before possessed or exhibited? Are we truly that blind?
Keep your eyes on these companies. I do not need to name them or call them out. They are in the news at every chance. New marketing campaigns are started that target the new catch phrases with slight modifications to make them look as if it was their idea.
Watch the cycle and hope you do not find yourself completely bought in when the ethos takes a back seat.
About the Author: Jeff Bardin is currently Chief Intelligence Officer for Treadstone 71. In 2007 he was awarded the RSA Conference award for Excellence in the Field of Security Practices. The Bardin-led security team from Hanover Insurance also won the 2007 SC Magazine Award – Best Security Team competing against such organizations as Barclays Global and the Department of State. Jeff sits on the Board of Directors, Boston Infragard; Content Raven, Wisegate, was a founding member of the Cloud Security Alliance; is a member of the Cyber Security Forum Initiative, the RSA Conference Submission Selection Committee and formerly on the Customer Advisory Board for Chosen Security. Jeff published The Illusion of Due Diligence in 2010 and was a co-author for the Computer and Information Security Handbook, Understanding Computers, and has published articles for magazines such as The Intelligencer, CSO, and SC Magazine. Jeff served in the USAF as a cryptologic linguist, and in the USANG as an officer. He has BA in Special Studies - Middle East Studies & Arabic Language from Trinity College as well as a MS in Information Assurance from Norwich University. He is also a professor of masters programs in cyber intelligence, counterintelligence, cybercrime and cyber terrorism at Utica College. Jeff also holds the CISSP, CISM, C|CISO and NSA-IAM certifications.