Avoiding Security Hype, the Hazard From Hollywood

If it’s summer, it must be Hollywood blockbuster season. Disaster! Horror! Explosions! Supervillains!

But in the corporate world, it’s summer blockbuster season year-round. Networks of zombie bots! Twisted teenage genius hackers! The chills and thrills are dramatic, and they make for easy presentations. Give the audience enough explosions, and they might not notice any gaps in the storyline.

Unfortunately, the Hollywood approach to security issues doesn’t do much to help organizations improve their actual security. No costumed superhero will swoop in to save the day — and, meanwhile, we’re ignoring practical and effective measures.

Hollywood Security Hype vs. the Real World

The romanticized Hollywood hacker mythology, argues Kevin Magee at Infosec Island, is misleading. Going all the way back to the 1983 film “WarGames,” hackers have largely been portrayed as maladjusted but brilliant teenagers. They aren’t. Cybercriminals are just plain criminals, and there’s nothing romantic or noir about them.

Moreover, Hollywood-style security hype may not even deliver thrills anymore. By this point, horror stories about millions of stolen customer accounts are like the sixth sequel in a tired film franchise — they only make audiences’ eyes glaze over.

Beyond doing away with the term “hacker” and the mythology that surrounds it, Magee offers four habits that security professionals should quit in their presentations to executives and other employees:

  • Stop swiping sensational headlines. Instead, use high-profile attacks as learning tools. How would your organization respond if faced with the same situation?
  • Do away with cliched graphics. We don’t need another shadowy figure or image labeled “Hacked!” in a jagged red font.
  • Stop blinding your audience with tech jargon. Magee points out that the typical board member “can’t relate to an APT that has exploited privileged user credentials to install root kits on multiple endpoints and has bypassed our IPS by encrypting command-and-control messaging.” Instead, explain how much effective protection will cost — and how much it can save.
  • Above all: Stop using fear. Start using reason.

When the Cybersecurity Discussion Gets Real

Criminal cyberattacks are a real threat, and there are real measures organizations can take both to reduce the likelihood of a successful major breach and to reduce the level of risk exposure if a breach does take place.

Some of these key protective measures are technical in nature and hard to explain in detail. Other critical protective measures — such as user awareness of threats like “spear phishing” attacks — don’t require a technical background to understand.

Users don’t need to know how a malware payload works. They just need to see how the attack can mimic an email from a colleague and what to be suspicious of. Nor do leaders need a technical background to understand why their organizations should have an effective public response ready if sensitive data does get breached.

What everyone in the organization needs is a better grasp of the real risks of cyberattacks and what can be done to prevent them or minimize their costs. What no one needs — or benefits from — is more security hype.

Rick Robinson is a writer and blogger, with a current 'day job' focus on the tech industry and a particular interest in...