Beware of the ‘Pet Rock’ Cybersecurity Vendors

In April 1975, Gary Dahl had an idea. A genius idea as it turned out, particularly when you consider that he made roughly $28 million dollars (adjusted for inflation) from something that was, to all intents and purposes, completely useless.

The Pet Rock was just that, a rock. No paint, no googly eyes, nothing, just a rock taken from Rosarito Beach, packaged up and sold for $20 each.

He sold 1.5 million of them.

But the reason it took off was not the rock itself, it was because of the packaging the rock came in and some absolutely brilliant marketing. There was a pet carrier box (with air holes!), a nest of straw, and, of all things, a 32 page instruction manual; “The Care and Training of Your Pet Rock“.

It went viral before there even was such a thing. You either had one or you were constantly having to explain why you didn’t. Kinda like the ice bucket challenge, if you didn’t take part you were given a ‘look’ and immediately judged.

By now, the parallels I am going to make with regard cybersecurity vendors should be fairly obvious, but where the analogy falls apart is in the motivation of the provider, and the consequences:

  • The pet rock was whimsical, made no false promises whatsoever, and was priced to be thrown away when the ‘joke’ was over; but
  • Security vendors are working in a field of utmost importance, make claims and promises that can be outright lies, and the results of the technology’s failure can have significant negative consequences.

But what they both have 100% in common is that they are nothing without their fancy packaging, and the difference between success and failure is dependent not on what the market’s needs or the capability of the ‘product’ itself, but on the results of the marketing campaign.

Smoke and mirrors at its very best/worst, depending on your perspective.

I’ve written ad nauseum on this subject over the years, but the one thing that I still absolutely cannot accept is the continuing ignorance of the organisations who would rather throw their money away than do a little homework. They are quite literally putting their businesses on the line and still act shocked and mortified when things go wrong.

Now, for once, I’m going to put my money where my mouth is, or more accurately, my time:

Any organisation within a 1 hour train ride from London can have 1 day of my time for ‘free’ as long as the following requirements are fulfilled:

  1. I get 30 minutes of the CEO’s time, one-on-one, prior to all subsequent meetings – no alternates, no exceptions;
  2. If you have a governance function, I get a 30 minute meeting with them, if you don’t, 30 minutes with your senior leadership (or equivalent);
  3. I get one-on-one meetings with the following people (partial):
    • Head of IT;
    • Head of Operations;
    • Head of Legal;
    • Head of HR;
    • Head of Compliance/Audit;
    • Head(s) of [main business function(s)]
  4. I receive a brief from the relevant teams/personnel on the current state of your:
    • Governance / Change Control;
    • Policies, Procedures, and Standards;
    • Network Diagrams / Asset Management;
    • Project Management;
    • Applicable external standards/regulations (e.g. GDPR).
  5. You pay all travel costs and buy me lunch.

I realise that this is not ‘free’, and that the time spent preparing for and conducting these meetings is a cost in and of itself. One that will likely significantly outweigh my normal day-rate, but in return you will get:

  1. A high-level report on your Top 5 security risks, and options (not recommendations!) to mitigate them;
  2. A first impressions summary of your security control capability gaps;
  3. A first impressions summary of your cybersecurity skills-gaps;
  4. A prioritised list of your suggested next steps in the development of an appropriate security program;
  5. A rating, based on my experience, of the maturity of your existing security program i.e. are you above or below the bad-guy’s radar.

Frankly you have very little to lose; You’ll trust my judgement, or you won’t. You’ll want to hear more, or you won’t. Either way, you’ve spent a couple of hundred quid at most. But what you will have effectively done is something, which is often the hardest step. Too many organisations are stuck by either analysis paralysis or not knowing where to begin.

I am not going to insult your intelligence by claiming that this offer is an any way altruistic, I will of course hope to get more business on the back of this engagement. But even if I don’t, you’ll hopefully have found someone whom you trust to point you in the right direction.

Security vendors should rarely sell clients what they ask for, not unless they are are sufficiently qualified to know what’s right for them. We should be selling them what they need, even if [especially if!] they don’t know what that is. The goal of every security vendor should be to become a career-long partner to your business, but we’ll never reach that goal if you don’t see the benefits of what you’ve paid for.

If you’re interested, you can contact me on david@coreconceptsecurity.com, or through my contact form.

I will follow up in a month or so to give you my thoughts as to why not one organisation took me up on this offer.

Because none will.

[If you liked this article, please share! Want more like it, subscribe!]

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.