I was reading an interview with an executive from a nameless security vendor the other day and the point he was making was that their security products are necessary because “hacking is now a for profit enterprise”. How absolutely 2007.
Most of the examples of hacking incidents he brought up were attributed to LulzSec or Anonymous. Those are not examples of “for profit enterprises”. They were exactly the malicious and “to show we can” type of attacks that he said disappeared 15 years ago. Not to mention that while cyber-war, cyber-terror and cyber-espionage all have a “profit” in mind, it is not exactly the same “for profit" as the Albert Gonzalez gang stealing credit card data.
In fact recent attacks if anything show that we may in fact be entering a new era of hacking and security that calls the whole responsible disclosure and “ethical hacking” issues into a new light. So why talk about security drivers circa 2007 halfway through 2011?
At first I chalked it up to having people who really don’t have any security background and not living security being put in a position where they are forced to talk about it. But then I thought about it some more. It is more than just another empty suit talking about security, it is a chronic problem in the security industry.
I have heard it from other security executives too. When speaking to customers and the public they don’t think the audience is sophisticated enough to really “get it”. So instead of giving it to them straight, lets give them what they can understand. It is LCD (least common denominator) security marketing. Give them something simple enough that they can put their mind around it, that has examples that have already been established in the public consciousness. This way we don’t have to explain too much and we don’t have to open the kimono about our solutions being perhaps only an inch deep. KISS, keep it simple stupid. If only the world really worked like that though.
But why should we be surprised with least common denominator security marketing when too many security companies sell least common denominator security solutions. You know, the check box security that allows people to say they have complied, but leaves them defenseless when LulzSec and the like put them in their sites.
I think the whole thing is an outgrowth of the old enterprise security vendor approach of watering and “dumbing down” their solutions for the mid-market. It didn’t work then and LCD security and LCD security marketing doesn’t work now.
Yes, you may fool some people for some of the time, but you can’t fool all the people all the time and sooner or later it catches up with you. The people and organizations relying on the security industry deserve better and we as an industry should be better than that!