Blog post

Information Security Headlines are Misleading

By Paul Proctor | February 11, 2014 | 1 Comment

The headlines are schizophrenic. One day it is “Oh no! Oh no! We’re all gonna die!” and the next day it’s “What? Me worry?” The more dangerous of these are the headlines that suggest that we are all going to be fine, because the FUD may be annoying, but organizations are always seeking an excuse to ignore the problem.

While both extremes should be expected from a profit-driven, eye-ball grabbing press, there is a very practical reality somewhere in the middle that should not be ignored. Neither of the extremes really support appropriate levels of attention on  this critical topic. Here are a few examples from very recent headlines that mislead.

“Information Security? What Security?”

“Forget Prevention, says Venture Capitalist Ted Schlein, Focus on Limiting Damage” says the subtitle below the headline. This is a videotaped interview published in the Wall Street Journal on February 11, 2014 with some transcription that includes these gems, ripe for misinterpretation by a non-subject-matter-expert reader (AKA everyone reading the article).

“I’m a firm believer there are only two kinds of companies—those that have been breached and know it, and those that have been breached and don’t know it.” – Ironically, he has worked FUD into a commentary that most people will interpret as you are wasting your time with security.

“Most of what we do in security is around prevention, prevention, prevention. Great. Just know it won’t work. Know that they’re going to get in.” – This is one of those mixtures of fact and fiction that is completely misleading. “…just know it won’t work” is not at all true and gives a license to decision makers to reduce security investment in a very bad way. I believe he is trying to say that there are new and exciting technologies to address security that don’t focus exclusively on prevention. What it sounds like he’s saying is that prevention is a waste of time.

“You ought to be thinking, “Hey, I want to find out where they are as fast as humanly possible, contain it and remediate it.” – Then he follows up with a confirmation that yes, he did mean that prevention is a waste of time. So you can skip all that vulnerability patching! Just drop all the defenses and remediate compromised machines! Remember that this is coming from a VC who has likely invested in some of those companies that provide these capabilities.

“How Cyber-Security Laws are Outdated”

In this article also published in the Wall Street Journal on February 11, 2014 Mike McConnell, Former director of the National Security Agency and of National Intelligence talks about the details of the NSA’s surveillance program and tells how Edward Snowden stole classified information from the agency. Basically his focus on nation-state hacking and a focus on public private information sharing with a headline that suggests our cybersecurity laws are out of date just creates a jumble of information that would leave most people saying “what, the what?”

“Gartner: CIOs Deprioritize Security” and “CIOs Downgrade Cybersecurity”

In these two blog posts (that were highlighted in the Journal’s CIO Journal) from mid-January 2014, WSJ reporter Michael Hickins (@Michael_Curator) seizes upon Gartner’s own CIO study that discusses the relative priority of cybersecurity vs all the other priorities a CIO addresses. He notes: Security ranks at #8 on the list of strategic priorities ranked by CIOs; 10 years ago it ranked as the top priority…”

Full disclosure, he quotes Gartner’s own Dave Aron who was a co-lead on the study. But as Dave tells me, he never left the impression that security was not important to CIOs even though that is the impression the headline gives. Evidently Michael thought it was a noteworthy enough observation that he repeated it in a blog post the very next day.

The bottom line: Headlines are made to grab eye-balls, I get that, but information security and IT risk are critical topics that are going through a sensitive, and in many ways fragile, cultural shift. These misleading headlines are not helping.

The WSJ is not the only media source doing this. I just read the WSJ every day so this is where I pulled my examples.

Follow me on Twitter (@peproctor)

Comments are closed

1 Comment

  • Paul,
    I couldn’t agree more. I read an article on Monday night from a “reputable” infosec source where the headline called into question whether or not the HVAC had vendor account had any role in the Target breach. Their “expert” called claimed this couldn’t be true bc PIC DSS requires that the payment system networks be segregated. Well, 1st, PCI expressly does not require that. Even if they did, that doesn’t mean that every company would be in complete compliance 100% of the time. Even if they were.. even if you air gap a network, there are ways to work your way through with a little patience (ask the Atomic Energy Organization of Iran :|… So, I added a comment quoting the PCI DSS and questioning the validity of the headline.. but the comment was removed within 5 minutes 😐