Recently we’ve been troubled by a spate of news articles and other public announcements – coming from seemingly authoritative sources – that have made claims or insinuations that are doing not just a disservice to those in the risk management and cybersecurity industry who are trying to educate the general public, but a real disservice to those who may implicitly trust these sources to provide honest and/or objective information.

In the interests of fairness (and liability), we’re not going to pursue public ‘naming and shaming’, but we’d like to offer some good old-fashioned consumer advice when it comes to trusting – and taking advice from – not just people in our industry, but really anyone providing advice about this field.

Consider that we have spent a lot of time on the receiving end of information before we ever decided to provide some ourselves, so hopefully you will appreciate our perspective and motivations are fair and four-fold:

  1. We want you to learn from our experiences (and quite frankly mistakes) from the past;
  2. We hate spending time trying to help people “un-learn” nasty half-truths and outright lies;
  3. We don’t want to be the bearer of bad news when you suffer the consequences of bad advice or information; and most importantly…
  4. We already have plenty of work to keep us busy – this isn’t some tacky ploy to drum up more.

So here we go…

Ask them the difference between cybersecurity and risk management. If they can’t tell you, run – don’t walk – away.

This is an easy litmus test, because there are lots of technical people who like to say they are the same thing.  They are not.  There are different objectives, motivations, and really an entirely different perspective on the business.  Cybersecurity is predominantly focused on performance indicators, while risk management is focused on risk indicators.  If they don’t know what those are either, run faster.

The Rule: Know What You Are Getting

Never trust anyone who is speaking publicly about cybersecurity… and just had a breach.

This might surprise you, but we get questions stemming from this scenario more often than you’d expect.  We’ll set aside what should be an intrinsic question that, if they were breached, shouldn’t there at least be some room for additional doubt about the efficacy of their controls and cybersecurity prowess… and focus on something equally pragmatic, but less obvious.

Specifically, it is that any company, organization, or other entity that has been breached is facing tremendous liability consequences, and that means that anything they state in public can and will be held against them in a court of law (if they are sued).  This means they will do their best to portray themselves as the hapless victim under the surge of insurmountable forces… the classic, “we gave it our all, but they were just too much for us.”

Uh, are we sure about that?  Did you really perform your due diligence?  If you were so prepared, why didn’t you detect the breach?  Why couldn’t you recover all of your data?  Where were your backups?  Where was your incident response plan?  Where was your IT staff?

Of course, these are all rhetorical questions that you will never get an answer to (lest they face the wrath of their own legal counsel), but for those of us who have been on both sides of a breach, there is MOST DEFINITELY more than one truth, if you know what I mean.

The Rule: Question Every Assumption.

Always pursue what the motivation is. As the old saying goes, “follow the money”.

This little piece of advice has resulted from people we’ve worked with not just trying to understand vendors and consultants, but also people we’ve coached who are interested in getting into cybersecurity and risk management as a career.

This entire industry is filled with snake-oil salesmen.  It’s as simple as that.  There are a lot of promises made because there is a lot of money to be made, and cybersecurity remains one of the few black box industries where discerning ‘the truth’ isn’t quite as easy as a Google search.

We’ve seen vendors make guarantees that their product can stop risk events that even our best cyberwarfare experts agree they could not defend against.  We’ve seen colleges and universities make completely unrealistic claims about the quality of their degrees, despite being completely and obviously absent of key curricula necessary to succeed in this industry.  We’ve seen consultants spend countless hours pointing out and (supposedly) remediating flaws whose actual risks to the company are miniscule, while ignore obvious gapping holes in business planning and basic security hygiene.

You get the idea.  Vendors want to sell products, schools want FTEs and butts in seats, and consultants want billable hours.  I’m not saying that they’re all bad, but they know their game, they know you don’t, and the bad ones will happily take you for a ride.

The Rule: It’s Caveat Emptor… Learn to Smell a Rat

Sign the NDA – and then get your proof.

Consultants and vendors can be pretty protective about other people stealing their ideas, and the rash of rip-off companies that are out there says that paranoia is well-founded.  So, when they ask you to sign that mutual NDA, don’t think there’s some trick or game afoot.

But with that MNDA signed, that potential vendor or contractor relinquishes a lot of its defenses against the question of, “What’s the quality of your work?”

Honestly, we do it all the time with product vendors.  We sign their MNDA, and then ask them to give us the names of some contacts at existing clients who we can talk to.  If they have a client technical support group/forum, we ask to be given read-only access to it.  If they’ve gone so far as to do customer satisfaction surveys, we ask for unpolished data.

Some companies are better than others.  Small vendors may not have an extensive client list.  Some companies don’t have groups/forums.  And most don’t have or do satisfaction surveys.  But by ASKING for these things, what we really learn is just how honest and open they are.  The more they squirm or deflect, the more we learn about how they’re likely to behave if we became one of their customers.

As for those pursuing careers… ask the schools and prep companies for completion rates, the percentage of students who pass the certification prep courses, job placement rates, in-field employment rates 1, 2, or 5 years later, student satisfaction scores, testimonials, and even names of graduates or completers (depending on the training you’ve pursued) who are willing to talk to prospective clients/students.

It’s really just a test.  A lot of them fail.  But the good ones almost always shine in the darkness.

The Rule: Learn What It’s Like To Work With Them, Before You Do.

We’re people too, and we know the sting of having been burned.  We have also seen the consequences of going down the wrong path because of bad advice or misleading claims.  We sincerely hope you can find some of our advice useful.