John Dickson, Principal at the Denim Group, talked at RSA about the noise we see in the security market today around breaches, zero-day exploits and other catchy topics in the media. It’s the nature of the media to find the most sensational stories because they sell papers/get clicks. To be fair, if something isn’t sensational, it isn’t news, but this noise can take attention away from the security conversations you should be having.
As John put it, the focus on sensational news, or as we in the industry call it, fear, uncertainty and doubt (FUD), means we are not focusing on the internal areas that improve security. If the conversation focuses on these stories, you end up with a security strategy that doubles down on technologies you already have in place: technologies like anti-virus, firewalls or endpoint security.
Don’t get me wrong; these technologies are vital to overall security, but they are not sufficient alone. As John pointed out, exploits are happening through the application layer, and, thus, we need to spend more time finding and fixing vulnerabilities and creating strategies to do so.
So, what can we do to shift the focus? To me, it isn’t about shifting the focus. As security managers or AppSec managers, you can use these sensational stories to start a conversation with your executives or boards. These stories get the attention of executives, so they present a great opportunity to educate your company on strategies that work. John also recommends using measurement and stats to demonstrate why you need to focus on new areas of security.
Bottom line: Breach distortion may make some areas seem more important than they actually are. But they also create an opportunity for you to frame the conversation.