Your opinion although interesting is irrelevant

Voice of a Leader

Leaders are predominately at the forefront of trying new things, followers aren't. Many opinion creators' self-belief assumes that they develop their content under the auspices of a cybersecurity leader, believing that it will make a difference, establishing a new [angle] for cybersecurity yet to be uncovered.  A follower always needs to have an opinion believing that this increases their standing across the company or industry. Content from followers will be pulled together with type1 thinking, automatic or spontaneous. Whereas true leaders know that if they can add value it will come from a well rounded and structured critical analysis (type 2 thinking) of the subject, with the audience, not the author in the starring role. One of the main reasons an individual becomes a leader is that they have taken the initiative to achieve the position they are in today. Irrespective of your opinion of Simon Cowell, if he wanted to be a follower, he wouldn’t have achieved the respect he has today in the record industry. 

So, whose opinion really matters in cybersecurity? The cybersecurity leader’s (CISO, CSO, Directors of Infosec, etc.)

By security leaders I didn’t mean industry analysts, influencers, vendors, marketeers, academics, self-proclaimed experts (excluding a few such as Schneier, Krebs, etc.), thought leaders and the list goes on. Does this mean that those that are in the firing line should disregard what individuals in the list are saying? No. Information and intelligence shared should always be considered but they should be read using the slower type 2 thinking to rationalise what’s being said.

Cybersecurity is a critical obligation

So why have I raised this subject and added my discipline as a contributor within the list of opinions that should always be rationalised? 

As I mentioned previously, cyber security is now a critical obligation for organisations to maintain business stability and growth. The opinions that are continuously being shared are not always helpful to cybersecurity leaders preparing themselves for existing and believed cyber-attacks. Demonstrating sound opinion and judgement is critical for both the security leader and the provider of security tools. Cyber-attacks are relentless and any resulting incidents where the efficacy of the security tool is called into question shines a light on the decision of the security leader and the verbal and written capabilities from the vendor. The liability for insecure software is already a reality. The question is whether governments will step in to give it shape and a coherent legal structure. Broadly speaking, governments could do this in one of two ways. They could create a legal framework for claims brought by private citizens or government attorneys. Or it could delegate the regulation of software security to agencies like the Federal Trade Commission (FTC), National Cyber Security Centre (NCSC) amongst others.

It’s never good to wait for regulations, especially as cyber criminals operate in the present and not any future timescale. Opinions have no place in the compliance of regulations and security leaders need opinion creators to collaborate more closely to ensure that they [all those in the opinion list] add value in their efforts, not distract a security leaders invaluable time. 

Leading with a type 1 thinking approach

There are numerous examples of content used by opinion creators in their efforts to capture the attention of security leaders with type 1 thinking. Four examples are summarised in the following paragraphs, all of which may look innocent in isolation,  but each contribute towards the recurring misuse, tweaking and tedious use of opinion instead of challenging the norm by using accurate and inspiring datum.

Repetitive waste

Tell them, tell them and tell them again. But please change the record.

The most recent example of repetitive waste is the cyber incident related to the SolarWinds attack. Every ‘specialist’ on my opinion list had something to say. I googled ‘SolarWinds Attack’ and it returned 4.8 million results. Unless the article was from the incident response team or security advisories, it was churned content, expressing speculative opinions of who was to blame, their intent and how this would ultimately result in cyber warfare. We are now seeing the same churn happening for the mitigated cyber hack at Oldsmar's water treatment system in Florida.

We could stop that!

And yes, what a great opportunity for vendors to tell everyone how it wouldn’t have happened on their shift. Under the guise of a supposed advisory or breakdown of the attack, the final paragraph is always reserved for the vendors call to action “contact us to learn how we would have stopped this happening”. Don’t vendors and content authors realise that if the opinion piece was informative, insightful and [really] helpful the reader understand something of real value and not a blatant sales tactic, readers would probably go check you out? You don’t need to lead the horse to water, its capable of walking there by itself. 

I’m the leader, just choose me

A leader is normally recognised by the opinion of an individual or group of individuals  via a report or publication at a given data point in time. 

However it’s the report author that decides what should define a leader and the evidential criteria used to rank security providers, it’s not an inclusive process.

Ask yourself:

• Have security leaders been asked to agree the combination of functionality into a category?
• Have security leaders been asked to evaluate the priority and weighting of key criteria?
• Have security leaders been asked if they only want to know about established vendors and not those that need another couple of years to meet the report inclusion criteria?

Ever thought of dismissing the opinion or decision of what’s in the leadership reports? Well, why not? I recently spoke (yes spoke) to a group (lots) of CISOs (that’s their business title) and as far as they were concerned, they are not dependent on the opinion or details of vendor assessment reports of leaders (and followers) to choose a specific vendor/security tool. 

Security leaders who go against the advice of these reports, will approach their decisions based on relevant factual data. The security providers, who are not deemed as being a 'leader', should continue conveying a strategy of  ‘client-purpose first' and leave the chest pumping to the gorillas. You don’t need to boil the ocean, just make some positive waves.

The CISO doesn’t know

Every CISO that I have spoken to over the years have been highly intelligent and well read, both technically and of their business. The letters that appear after their name are not there because they cannot spell. CISM, CISSP, CISA, CIPP-US, CISM, CDPSE, CRISC, etc, all have a common theme ‘Security’. These are practitioners, not academics. 

So why do opinion pieces and vendor collateral continue to tell security leaders that; they need to be more security aware; should not let this type of attack into their business; should prioritise one security tool over another or get a grip of shadow IT?

In simplified english this is the author of the content using type 1 thinking (when developing the material), without the maturity to know that they are trying to tell their target audience something they already know, or “teaching your grandma to suck eggs”. The majority of publications, whether the are in the media or via digital channels are used to gain awareness and consideration for the content author or the company, so consider this, ‘who is going to pay for the product or service you are trying to get them to buy’? The person that you just advised wasn’t doing their job correctly.

If you are one of the so-called security vendor 'leaders' from the section above, shouldn’t you be thinking about getting one of your own customers’ security leaders to contribute to your opinion piece, removing the marketecture and replacing it with a practitioner’s perspective. Security leaders listen to the opinions of their peers before they listen to anyone else.

Thousands of security leaders agree 

No, they don’t. Security leaders like everyone have differing beliefs, due to their industry, size of company, background, personal disposition and budget amongst many other factors. A box ticked or a ranking score chosen does not provide a true understanding. Size only counts when it’s taken in context. 

My approach as a cyber industry analyst and go-to-market specialist is always to ask ‘why?’ rather than ‘how?’. As a researcher for both the areas of my specialism I use well-grounded methodologies proven over a number of years, strengthened from my MSc academic learnings.

Research should be used to understand the [current] factual state of the subject you are analysing. It should be driven by either standalone or a mixture of qualitative and quantitative data. Acknowledging your favourite washing powder or the flavour of one apple variety over another is relatively simple, cybersecurity on the other hand cannot be simplified to a number or tick box. It is very complex and has many overlapping factors. So, I despair when I read unfounded, exaggerated and tweaked cybersecurity research findings.

Security leaders are very busy individuals, but when they identify value to themselves or their peers in a research study, they welcome the ability to contribute. But you need to have them allocate time to respond, so they tend not to respond to speculative lengthy quantitative research and it can take weeks for them to find time in their schedule to participation in a study. Stating in a publication that the study has been compiled with the contribution of 100's of security leaders in a month or two, well, let's not add the response I would use.

Finally, a well delivered research study would encourage the security leaders participating to provide you with attributed comments, so unless you are doing this under the 'Chatham House Rule', convincing and challenging statements should always be attributed to provide validity.

When you are being presented with a B2B cybersecurity research publication, think about the title, objective and respondent size and approach the consumption of the content with type 2 thinking:

1. Are the respondent figures exaggerated? You cannot survey hundreds let alone thousands of security leaders in a month or two (also see point 7 below)
2. Is the publication making author based qualitative claims from quantitative (only) data points?
3. Are the questions closed rather than seeking a respondent’s experience or opinion?
4. Are there restrictions of options to choose from in the available lists?
5. Would you have been encouraged to add anything to the ‘any other comments’ box in a quantitative study?
6. If the research topic is primed with a negative connotation, are you expecting the respondents to challenge the implied opinion or just fuel a topic that may already be exhausted? How many times do you get someone complaining about something rather than saying how good things are?
7. If the title says ‘Security Leaders’, has the methodology provided exclusion where the respondent’s primary responsibility is not security leadership

Understanding the issues that cyber security leaders are experiencing to enable vendors and academics to build new products and services, highlights that research studies are and will continue to be a valuable source of data points for the cybersecurity industry.  It is essential that any research study whether it is quantitative or qualitative is undertaken with the contextualised views of security leaders and does not steer the end publication to say something that the author already knew or intended. 

Conclusion

Opinions are constant, we will always have them. The change in focus of cybersecurity from an annoyance factor a decade ago to something that is now an obligation of businesses has meant that any opinion relayed needs to be underpinned with evidential facts that will increase the knowledge of security leaders. Providers of opinions and security tools would be wise to adjust their tone of content and focus on facts that have a consistent engagement with practitioners who are specialists and not theorists.