June 6, 2017 By Rick M Robinson 2 min read

If it’s summer, it must be Hollywood blockbuster season. Disaster! Horror! Explosions! Supervillains!

But in the corporate world, it’s summer blockbuster season year-round. Networks of zombie bots! Twisted teenage genius hackers! The chills and thrills are dramatic, and they make for easy presentations. Give the audience enough explosions, and they might not notice any gaps in the storyline.

Unfortunately, the Hollywood approach to security issues doesn’t do much to help organizations improve their actual security. No costumed superhero will swoop in to save the day — and, meanwhile, we’re ignoring practical and effective measures.

Hollywood Security Hype vs. the Real World

The romanticized Hollywood hacker mythology, argues Kevin Magee at Infosec Island, is misleading. Going all the way back to the 1983 film “WarGames,” hackers have largely been portrayed as maladjusted but brilliant teenagers. They aren’t. Cybercriminals are just plain criminals, and there’s nothing romantic or noir about them.

Moreover, Hollywood-style security hype may not even deliver thrills anymore. By this point, horror stories about millions of stolen customer accounts are like the sixth sequel in a tired film franchise — they only make audiences’ eyes glaze over.

Beyond doing away with the term “hacker” and the mythology that surrounds it, Magee offers four habits that security professionals should quit in their presentations to executives and other employees:

  • Stop swiping sensational headlines. Instead, use high-profile attacks as learning tools. How would your organization respond if faced with the same situation?
  • Do away with cliched graphics. We don’t need another shadowy figure or image labeled “Hacked!” in a jagged red font.
  • Stop blinding your audience with tech jargon. Magee points out that the typical board member “can’t relate to an APT that has exploited privileged user credentials to install root kits on multiple endpoints and has bypassed our IPS by encrypting command-and-control messaging.” Instead, explain how much effective protection will cost — and how much it can save.
  • Above all: Stop using fear. Start using reason.

When the Cybersecurity Discussion Gets Real

Criminal cyberattacks are a real threat, and there are real measures organizations can take both to reduce the likelihood of a successful major breach and to reduce the level of risk exposure if a breach does take place.

Some of these key protective measures are technical in nature and hard to explain in detail. Other critical protective measures — such as user awareness of threats like “spear phishing” attacks — don’t require a technical background to understand.

Users don’t need to know how a malware payload works. They just need to see how the attack can mimic an email from a colleague and what to be suspicious of. Nor do leaders need a technical background to understand why their organizations should have an effective public response ready if sensitive data does get breached.

What everyone in the organization needs is a better grasp of the real risks of cyberattacks and what can be done to prevent them or minimize their costs. What no one needs — or benefits from — is more security hype.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today