If it’s summer, it must be Hollywood blockbuster season. Disaster! Horror! Explosions! Supervillains!

But in the corporate world, it’s summer blockbuster season year-round. Networks of zombie bots! Twisted teenage genius hackers! The chills and thrills are dramatic, and they make for easy presentations. Give the audience enough explosions, and they might not notice any gaps in the storyline.

Unfortunately, the Hollywood approach to security issues doesn’t do much to help organizations improve their actual security. No costumed superhero will swoop in to save the day — and, meanwhile, we’re ignoring practical and effective measures.

Hollywood Security Hype vs. the Real World

The romanticized Hollywood hacker mythology, argues Kevin Magee at Infosec Island, is misleading. Going all the way back to the 1983 film “WarGames,” hackers have largely been portrayed as maladjusted but brilliant teenagers. They aren’t. Cybercriminals are just plain criminals, and there’s nothing romantic or noir about them.

Moreover, Hollywood-style security hype may not even deliver thrills anymore. By this point, horror stories about millions of stolen customer accounts are like the sixth sequel in a tired film franchise — they only make audiences’ eyes glaze over.

Beyond doing away with the term “hacker” and the mythology that surrounds it, Magee offers four habits that security professionals should quit in their presentations to executives and other employees:

  • Stop swiping sensational headlines. Instead, use high-profile attacks as learning tools. How would your organization respond if faced with the same situation?
  • Do away with cliched graphics. We don’t need another shadowy figure or image labeled “Hacked!” in a jagged red font.
  • Stop blinding your audience with tech jargon. Magee points out that the typical board member “can’t relate to an APT that has exploited privileged user credentials to install root kits on multiple endpoints and has bypassed our IPS by encrypting command-and-control messaging.” Instead, explain how much effective protection will cost — and how much it can save.
  • Above all: Stop using fear. Start using reason.

When the Cybersecurity Discussion Gets Real

Criminal cyberattacks are a real threat, and there are real measures organizations can take both to reduce the likelihood of a successful major breach and to reduce the level of risk exposure if a breach does take place.

Some of these key protective measures are technical in nature and hard to explain in detail. Other critical protective measures — such as user awareness of threats like “spear phishing” attacks — don’t require a technical background to understand.

Users don’t need to know how a malware payload works. They just need to see how the attack can mimic an email from a colleague and what to be suspicious of. Nor do leaders need a technical background to understand why their organizations should have an effective public response ready if sensitive data does get breached.

What everyone in the organization needs is a better grasp of the real risks of cyberattacks and what can be done to prevent them or minimize their costs. What no one needs — or benefits from — is more security hype.

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…