Executive Perspectives

Buyer Beware – Which Vendor Claim(s) Is Your Organization Taking at Face Value?

Fans of the Austin Powers movies will remember the famous scene from the first movie where Dr. Evil is in group therapy with his son Scott, and he is asked to describe his childhood. “My father…”, he starts, “...would make outrageous claims like he invented the question mark.”

Sadly, this characteristic is not limited to fictional characters in movies. In fact, it is readily seen in the literature professed by unscrupulous vendors and, in our industry, self-proclaimed security experts.

Cyber security issues impact us all at our core. Every new cyber breach, credit card disclosure or ransomware attack brings yet another long list of things that we have to worry about, both professionally and personally, and that we have to take into consideration as part of our risk analysis every time we make a decision or perform an action.

We all wish for the magical “quick fix” and so does our leadership. We are especially vulnerable to this feeling when something happens to us or our organizations directly.

In those unfortunate circumstances, we look for solutions that will help us quickly understand what went wrong, calm our fears, confirm our suspicions, and ultimately point to the root cause so we can deploy or do something that will protect us better next time.

This is usually when the so-called snake oil merchant makes an appearance.

Fear, uncertainty and doubt are primitive survival emotions. They have been expertly exploited by charlatans for thousands of years, and this will not stop any time soon. In fact, as technologies and the threat landscape becomes increasingly complex, we struggle even more to keep up with all the deeply nuanced details.

Charlatans have an uncanny ability to find the in-between spaces where they can take their techno-fantasy and intertwine it with techno-facts and simile-facts, thus infusing what they say with an aura of believability that, upon review, doesn’t come close to passing the sniff test.

Every day we are bombarded by advertisements and claims of solutions and services that promise the capability to secure everything everywhere. How can anyone cut through the smoke and mirrors and get to the truth?

  • I Know for I’ve Told Me So! – If a solution provider claims to have discovered something unique, but they are unwilling to share how their solution operates, or they cannot provide evidence from impartial third parties, or they do not have referenceable clients that can be called to discuss their experiences, then be suspicious and do not invest any time or money until this basic validity test is met.
  • Where’s the Conflict? – When reviewing the provided data, ensure that the environment and conditions described in the data directly correspond to the point being made. Do not accept any supporting document that requires a leap or any unsupported assumption. If the evidence is provided by third parties, ensure there is no conflict of interest between the organizations – as in, is the third-party organization a subsidiary or related in some way with the primary company? Validate that the findings are not pay-for-publish types and are intended this specific use. Proof of claims can easily be attributed to a third party that never intended their data to be used by that claim, or a logo can be inserted into a presentation giving the impression of attribution where none actually exists. Use trusted, well-known sources for validation and verify with them directly.
  • If It Appears Unbelievable, It Probably Is – “Little known secret” or “conspiracy theories” make for great click-bait, as well as intrigue in movies, but they won’t solve the security issues that show up in event logs when staff arrive at work. This is the charlatan’s greatest trick. Focus on what needs to be done and develop processes and capabilities that will yield real results. There are no magical quick fixes or shortcuts, just smart diligent effort that improves security one step at a time.

Bottom line: Even when a claim has the glow of credibility, always validate the claims and do your own diligence with trusted experts who have demonstrated a long and consistent track record. It may take a little longer, but you will sleep better at night knowing there isn’t any snake oil pretending to protect the environment.