June 6, 2017 By Rick M Robinson 2 min read

If it’s summer, it must be Hollywood blockbuster season. Disaster! Horror! Explosions! Supervillains!

But in the corporate world, it’s summer blockbuster season year-round. Networks of zombie bots! Twisted teenage genius hackers! The chills and thrills are dramatic, and they make for easy presentations. Give the audience enough explosions, and they might not notice any gaps in the storyline.

Unfortunately, the Hollywood approach to security issues doesn’t do much to help organizations improve their actual security. No costumed superhero will swoop in to save the day — and, meanwhile, we’re ignoring practical and effective measures.

Hollywood Security Hype vs. the Real World

The romanticized Hollywood hacker mythology, argues Kevin Magee at Infosec Island, is misleading. Going all the way back to the 1983 film “WarGames,” hackers have largely been portrayed as maladjusted but brilliant teenagers. They aren’t. Cybercriminals are just plain criminals, and there’s nothing romantic or noir about them.

Moreover, Hollywood-style security hype may not even deliver thrills anymore. By this point, horror stories about millions of stolen customer accounts are like the sixth sequel in a tired film franchise — they only make audiences’ eyes glaze over.

Beyond doing away with the term “hacker” and the mythology that surrounds it, Magee offers four habits that security professionals should quit in their presentations to executives and other employees:

  • Stop swiping sensational headlines. Instead, use high-profile attacks as learning tools. How would your organization respond if faced with the same situation?
  • Do away with cliched graphics. We don’t need another shadowy figure or image labeled “Hacked!” in a jagged red font.
  • Stop blinding your audience with tech jargon. Magee points out that the typical board member “can’t relate to an APT that has exploited privileged user credentials to install root kits on multiple endpoints and has bypassed our IPS by encrypting command-and-control messaging.” Instead, explain how much effective protection will cost — and how much it can save.
  • Above all: Stop using fear. Start using reason.

When the Cybersecurity Discussion Gets Real

Criminal cyberattacks are a real threat, and there are real measures organizations can take both to reduce the likelihood of a successful major breach and to reduce the level of risk exposure if a breach does take place.

Some of these key protective measures are technical in nature and hard to explain in detail. Other critical protective measures — such as user awareness of threats like “spear phishing” attacks — don’t require a technical background to understand.

Users don’t need to know how a malware payload works. They just need to see how the attack can mimic an email from a colleague and what to be suspicious of. Nor do leaders need a technical background to understand why their organizations should have an effective public response ready if sensitive data does get breached.

What everyone in the organization needs is a better grasp of the real risks of cyberattacks and what can be done to prevent them or minimize their costs. What no one needs — or benefits from — is more security hype.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today