Posted by: David Schneier
Data Breaches and Identity Theft, Security Vendor News
There’s an interesting post on the Wall Street Journal’s Business Technology blog today about security vendors resorting to gimmicks and publicity stunts in order to sell more stuff and, allegedly, raise the level of awareness about security threats. The lack of large-scale threats such as Slammer and Code Red that broke into the mainstream media has left consumers and some IT shops complacent about security. And all the while the epidemic of data breaches has snuck up on enterprises and made a royal mess of things, writes the WSJ’s Ben Worthen.
Publicity-seeking moves this month included antivirus software maker F-Secure’s call for an international police force to combat computer crime; Panda Security’s release of a study that draws a connection between cyber attacks and the stock-market crash; and McAfee’s appointment of a chief cyber security mom. The goal of that position, says McAfee Chief Executive Dave DeWalt, is to make tech security a “family” issue.
There are a couple of things that deserve some examination here. First, let’s just stipulate that security companies have been using gimmicks, scare tactics and all manner of other trickeration to hype their products since the dawn of the Internet age (and probably earlier). That’s just a given. (One small example: A security company that shall remain nameless once sent me an entire iron-and-wood seat from an old movie theater to promote its involvement with some upcoming movie or other. The thing must have weighed 85 pounds, so God knows what it cost to ship. Your license fees at work.) Second, it’s hard to imagine a more cynical example of this than the McAfee move that Worthen cites: the appointment of a cybersecurity mom. Ugh.
Now, I get that vendors are always looking for new ways to make the security story real, both for consumers and enterprises. There’s no question that people have started to tune out when they hear someone talking about another data breach or identity theft. There are just too many of them to keep track of, and if it doesn’t directly affect you, you’re pretty unlikely to care. And telling people that they should care isn’t going to do it, either.
The faulty assumption behind all of these gimmicks and goofy campaigns is that people don’t understand the threat, so vendors need to play the role of doomsayers or carnival barkers. In my experience, even the least technically savvy people see through these tactics and end up developing a bad image of the companies that employ them. I’m probably shouting into the wind on this, because the vendors have shown no signs of slowing down with this junk, and the threats themselves aren’t going away anytime soon. So I guess we should all prepare ourselves for a vendor to announce the inevitable appointment of Harry Potter as Chief Security Wizard sometime soon.