The Security Industry Mindset: Black Hat 2015 vs. Black Hat 2016

Next: The Rise Of Politically Identifiable Information
Previous: This Week: Olympic Security, Russian Databases, and Google...
It's good to see the marketing imagery at Black Hat evolve away from scary pictures of soldiers in gas masks.
Writer Tyler C.
August 09, 2016

Tyler is Terbium’s Chief Product Officer and Customer Success Lead. Tyler is a technology entrepreneur with a background in software development who, at any given moment, would probably rather be skiing. Tyler blogs about the intersection of technology and security and the challenges organizations face in developing realistic plans for securing their data.

Since we started Terbium we’ve promoted the mindset that defense, while still necessary, is no longer sufficient. Security, like the weather, has become as much a risk management problem as a technical problem. It’s not a matter of “implement all the right technical solutions and be completely safe,” but rather a matter of managing your risk, both defensively, pre-incident, and responsively, post-incident.

One of the characteristics of a technical, or IT, problem is that either you have a problem or you don’t. If an employee can access their email, there is no problem. If they cannot, it’s a problem. Problems like this are well suited to a fire alarm mentality. There’s no need for concern if everything is working. As soon as something is not, it is a problem, and it must immediately be fixed. Then it is no longer a problem, and all may return to being unconcerned.

Risk management problems are very different. By their nature, risk management problems are not “solved” or “unsolved.” Whether or not you have a problem with flooding isn’t a question with a binary answer, but rather a probabilistic one. If you’re adequately protected, that doesn’t tell you anything about the next rain storm – it just tells you that, on balance, taking into account all the floods expected, you’re comfortable with your level of risk. The fire alarm mentality is destructive here, because even with the best risk management, there’s no ‘solving’ the risk of flooding. That risk persists, and you can’t ring the fire alarm non stop.

Back in 2013, this was an unusual message. Then, much more so than now, security was seen as a technical problem that needed to be solved. The messaging was almost universally FUD (fear, uncertainty, and doubt), as stock photos of sweaty security engineers were juxtaposed with black ops soldiers rappelling out of helicopters with laptops between their teeth.

Be very concerned – panic, even! – until you implement this technical solution. Then the problem will be solved, and you have nothing to worry about, the messaging said. At Black Hat 2015, the typical booth design featured crisis imagery. At least one booth featured an actor dressed as the Terminator, and the resounding message was that everything was on fire, but that cyber security special forces could put it out.

Fast forward to 2016, though, and it looks like we (as an industry) may have turned a corner. The mindset of an industry goes directly to its marketing, and nowhere is security industry marketing as consolidated as at the Black Hat conference. The contrast between this year and last is striking. Instead of FUD, the majority of messaging this year was geared toward living with the problem. Colors were brighter, booth designs had far more illustrations and far fewer photorealistic images of military figures, and many more companies opted for designs that emphasized ongoing risk, and the need not to panic – either by adopting tongue-in-cheek designs, or by emphasizing the ongoing nature of the threat.

As our weather analogy emphasizes, security is a risk management problem, and security products need to be sold as such. Information security products are inputs to the cost/investment/convenience/security tradeoff, and that’s a tradeoff that’s both inherently mathematical and inherently ongoing.

RELATED ARTICLES
industry September 21, 2018
Security is Dead. Long Live Security.

Data has intrinsic value – think of it like money, just stored differently. We currently live in a world where actors use sophisticated tradecraft previously relegated to the shadowy world of government intelligence to...

industry June 16, 2016
Breach Detection Times Have Not Improved

According to the latest Ponemon Report, the fastest detection took nearly a full month, and the longest took just shy of two years. Breached organizations do not have that time to spare.