It’s not unusual for journalists to receive press releases warning of cyber-warfare, ‘cyber armageddon’ or a critical infrastructure attack (note: research currently suggests pesky squirrels are more likely to take down your local power grid, rather than China’s PLA Unit 61398).
Some vendors are also quick to latch onto breaking vulnerabilities or attacks, and will happily over-play the threat. Others have been accused of making hyped-up boasts about “unbreakable” or uncrackable products.
There is an argument that this fear factor is required, but many argue it has an adverse effect - pushing the customer away, while also highlighting the futility of the very security products they are trying to sell.
Amar Singh, former CISO at News International and SABMiller, says some vendors are better than others.
“I would say there are good apples and bad apples; some vendors are into doing right thing, but no doubt some vendors are...only focused on sales and pedalling their products. They make extraordinary promises.
“Yet, I know some vendors who say ‘No, this isn’t product what you are looking for’.”
Malwarebytes’ Kleczynski admits it's hard for vendors to educate end users “not as ingrained in the space as we are” on the security threat, but downplayed suggestions of vendors “overstating the threat”.
“I don’t think that by painting a clear picture of the nature and consequences of cyber threats is "overstating the threat." It’s important to use examples of very real consequences of cyber-attacks to educate consumers and businesses and give them an opportunity to learn that the threat of cyber-attacks is real and can have very real consequences.”
What vendors and end users should do
- Collaborate with government agencies and other security firms
- Be honest about the product’s capabilities
- Help end-users get most out of their existing technology
End users should...
- Test a range of solutions
- Don’t expect technology to always be the answer - education is too
- Ask if you’re fully utilizing your existing solutions
- Understand who will use each solution - and how
Stephens, though, suggested FUD is an age-old problem.
“Selling FUD is an unfortunate legacy and reality in the industry. It’s rooted in the fact that the need for security hasn’t always been the recognized and acknowledged organizational priority that it’s become almost universally today. So selling FUD was how you “made it important” to decision makers. That’s no longer the case.
“But because it is such a high priority issue now, the use of FUD to appeal to a far more security-conscious society seems to be enduring and even proliferating as a selling tactic. It’s especially distressing when there are so many legitimate security threats now and they’re often difficult to filter or distinguish amongst all the FUD noise.”
Sign up for CIO Asia eNewsletters.