Saturday, October 10, 2020

In praise of vendor-neutral cybersecurity awareness (Day 10 of Cybersecurity Awareness Month)

Image of empty seats in from of a speaker who has been pitching product instead of educating the audience

Raising people's cybersecurity awareness can help reduce cybercrime and increase the chances that humans will enjoy a net benefit from digital technology. You might say the goal is to help us all "enjoy technology more safely." 

That sentiment is echoed in the tagline of a security software company called ESET: Enjoy Safer Technology. This article is about the connection between cybersecurity as an industry, and cybersecurity awareness as a public good. 

In my opinion, companies that sell cybersecurity products and services should not hijack Cybersecurity Awareness Month to pitch those products and services. I wrote something along these lines a few years ago in an article on LinkedIn titled: Vendor-neutral cybersecurity education: a New Year’s Resolution

Before going any further I should make it clear that I spent most of the last decade working for ESET with the title Senior Security Researcher. (I left last year, as explained here, and I am now a self-employed independent researcher, quoted as such by journalists in publications such as Bleeping Computer). 

At ESET I led a team devoted to analysing threats to information systems and the data they process, then sharing the implications of their findings with the wider world, through published articles, press interviews, and speaking engagements. And here's why that is relevant: we were under orders from ESET management to do all of this in a vendor-neutral way. 

In other words, even if a journalist were to ask me, as someone working for one of the world's largest suppliers of anti-malware products, "what can people do to keep malware off their systems?" my answer would be something like "install a reputable anti-malware product." I would not say "buy ESET anti-malware." (Sometimes, if I was pushed to name reputable security products I would list several, including ESET if it had a relevant offering.)

[Disclaimer: I no longer have any financial interest in ESET, no shares, no company pension, and I don't stand to gain anything if what I'm saying here leads you to buy the company's products.]  

Quite a few of those published articles, press interviews, and speaking engagements that I referred to earlier occurred in the context of cybersecurity awareness programs, including Cybersecurity Awareness Month. Indeed, ESET was a supporting member of NCSA, the body that orchestrates Cybersecurity Awareness Month in the US, and for a couple of years I was on the board of NCSA.

Now, you could argue that ESET was only putting all this money and effort into "vendor-neutral messaging" because it helped raise brand awareness, thereby leading to more revenue. And I would agree that "educating the market" for a product is a thing. People are more likely to buy products if you can persuade them that they need them; but not all needs are the same. Educating the market takes on an ethical dimension when it involves goods and services that are necessary to protect and maintain the safety and wellbeing of society.

Many years ago I described cybersecurity as "the healthcare of IT," and I see my role, and that of companies like ESET, as protecting and caring for information technology so that it can continue to deliver benefits despite attempts to abuse it, and the forces of nature that imperil it (storms, floods, fires, earthquakes, etc.). That protecting and caring remains job #1, whoever you work for or with in this field. 

Here's real life example of what I mean. Suppose you're invited to be on a panel to talk to a group of newspaper publishers about what they should be doing to protect their operations now that they are increasingly reliant upon digital technology. I don't think you should spend your time telling the audience about the ways in which your company's security product is superior to its competitors [allegedly]. I saw this happen a few years ago and it was truly cringeworthy, not to mention utterly unprofessional. It went pretty much like this:

  • Moderator: What's the first thing publishing companies should do to get a handle on cyber risks? 
  • Invited cybersecurity expert from company X: Buy our product.

About the only good thing I can say about this event is that a whole lot of people learned—via the cybersecurity grapevine—not to invite the expert in question to speak at future events. Naturally, people like "that guy" lead organizations to avoid speakers from cybersecurity companies. That's unfortunate because companies that create and deliver commercial cybersecurity products and services accumulate valuable knowledge about dealing with cybersecurity problems. Society risks losing out when that knowledge is not tapped because information security professionals can't commit to sharing what they know in a vendor-neutral manner.

So, as you see all these messages about cybersecurity this month, bear in mind that many are put out there by companies that have security solutions to sell. That's doesn't mean the messages are not important or relevant, they may well be on point and worth heeding. Just watch for product pitches and call out those that cross the line and put profits ahead of the public good. 


No comments: