When Cybersecurity Vendors Lie

When Cybersecurity Vendors Lie*

See if you can spot the problem inherent in this relatively common sales pitch: “For only $200,000 you can subscribe to our data feed today and receive truly actionable cyber-intelligence!”

taking action!!!

Assuming the company is already known to have unique sources of information, the challenge is in the rest of the phrase: how do we define the term “actionable”?  It’s an appealing word because it implies that the information will be useful to us; by taking the recommended actions we will be improving our lives.

Who doesn’t want this?  An improvement on existing conditions is what we often seek as we browse articles, watch DIY vids on YouTube, or subscribe to newsletters on stock tips.  But how often does this actually work in the complex and convoluted world of cybersecurity?

It’s easiest to answer this question by looking what makes anything truly “actionable”.  There are four fundamental requirements of “action-ability”, and it’s the same whether you are prepping for an upcoming natural disaster or learning how to raise chickens.  For a suggested action to have real value it must be:

  • Relevant to your situation – you don’t want your IT to be receiving insistent recommendations to patch systems which are no longer part of your inventory
  • Aligned with your current strategy, which is to say with your goals and commitments, as constrained by your budget.
  • Achievable with your current resources
  • Specific and clear rather than vague; for example, instead of recommending that you “raise awareness with employees”, a consultant should suggest that you “provide a ransomware training module to all employees within the next month”

This seems like a good time to question: when the cyber intelligence vendor says their stuff is actionable, does this mean that they will be the ones providing the action list to you?  If so they are going to have to stay in very close touch – maybe more than you would like! – to receive regular updates about things like inventory, budget and strategy changes so they can customize their recommendations.  Or wait a second – are they expecting a brand new customer, one who has never consumed their product before – to psychically divine what that list should be?

Let’s take a quick look at what this might mean.  Here are two pieces of so-called actionable information from a cybersecurity vendor:

  1. “lately hackers, have employed new techniques for auctioning off stolen data” and
  2. “In the last 90 days, there has been a 70% increase in attacks on the point-of-sale (POS) system your company is using”

To a cybersecurity geek (here! here!) they are both interesting facts.  But the second one is definitely more specific and useful than the first one.  It would be even better if the second fact came with a list of 10 things you should check (like configuration parameters, permissions, version numbers, etc.) to make sure your POS was better locked down.  If this wasn’t included, at least a reasonably competent IT person can look at (b.) and spend a few hours creating a list.  But the first fact is only really interesting to students of the field.

So let’s grade this vendor on their ability to provide us with actionable data:

  • We are actually still using that POS system! – A+
  • 50% of this data is useless – D
  • The first fact, if it has no action items attached – bad vendor! – C
  • The first fact with relevant, achievable, aligned, specific actions attached – A++

Now, if they deleted the useless “intelligence” and only provided the good stuff, maybe they are worth the price.  Or, maybe we should get a sizable discount when, after the fluff is all sloughed off, the actual number of actionable items per month is down to just two J

Let’s end here with some armament – my attempt at providing usefulness to my readers!  Next time you hear this phrase “we have actionable intelligence” from a salesperson, ask them:

  • Are you saying your data will be RASS? (relevant to my company, aligned with our strategy, achievable, and specific)
    1. If so, how do you plan to get the information you need from us to keep it that way?
    2. Have you by chance asked customers how many of the recommended actions they took last year?
    3. If not, do you have a few customers I can discuss this with?
  • If the data will not be properly customized (RASS), can you give me an example of what you would have provided me last year if I were a subscriber?
    1. Now give the list to your IT folks and ask them:
      1. How many actionable facts were really provided?
      2. What percentage of the facts suggest obvious actions?
  • How many additional staff hours will it take to extrapolate the to-dos and how much did those actions actually reduce risk for us?

I hope it’s easy to see that while the “bait” may seem really attractive – a top-notch company offering unique information about cybercrime – it could end up costing a lot of money just to figure out what to do with it.  This is fine for a large company who is spending a million dollars a year on cybersecurity, because they already have their own Security Operations Center (SOC) but it’s not very fair to the small and medium business who can’t afford a dedicated expert on staff.

So dig in and challenge your vendors.  Ask these questions before subscribing.  Buying products which don’t do what they are supposed to do for you is a big part of why organizations over-spend on cyber.  This is also where a vendor-independent consultant comes in: they can help rank all the options by cost and the degree to which they actually reduce risk of a breach.  Good luck out there!



*or “mis-represent…most cyber intelligence can be considered “actionable” by a fraction of companies: those earning $1 billion who have their own SOC.

One Response to “When Cybersecurity Vendors Lie”

  1. Deb Atwood says:

    Great article! I especially like the way you break down the business owner’s potential concerns with “actionable” questions.

Leave a Reply