That is the word from one noted security blog, Infosec Island. According to blogger Rafal Los, security managers have spent far too long warning that the sky is falling, and asking for expensive security software to help prop it up. As a result, says Los, security specialists all too often are their own worse enemy.
The security community has fallen into the bad habit of selling fear. This can be a natural impulse: Bad things really can happen, and security experts are all too aware of the the threats out there, and the vulnerabilities within. But selling fear can become a lazy habit. And, like the story of the boy who cried wolf, the warnings can end up being ignored when the wolf finally shows up.
Los identifies four primary results of selling fear:
-
Breach overload. So many security breaches have gotten in the news that we have learned to ignore the often-hyped coverage.
-
Hierarchical detachment. The fact is that security specialists rarely have close contact with the C-suite. So they aren't asked to provide nuance.
-
Chasing shiny things. The absence of nuance means that "security" all too often ends up meaning pitching one more piece of expensive software.
-
The sky hasn't fallen – or it has. All too often, firms either skimp on security with no obvious bad results, or splurge on shiny security software - and end up getting breached anyway. Neither outcome builds confidence in the security community.
Security is not about vendor-pitched software. Those "shiny things" are configured to yesterday's threats, not tomorrow's. And security is not about trying to scare executives.
Effective security begins with organizing a process. It means things like a password policy that guides users toward strong passwords. (They aren't that hard, and can provide substantial protection.) Effective security means promptly applying update patches, and understanding the use of tools such as data masking.
