How to Lose All Credibility in Security

The fact remains that NOTHING in information technology is 100% secure. Nothing. If someone wants something badly enough and has the necessary skill-set/support and access to resources, they are going to get it. Yet so many vendors in the information security industry are still using phrases such as:

  • 100% secure
  • Hack-Proof
  • Unbreakable
  • Fraud-Proof
  • Completely Safe
  • and so on…

Apart from being entirely unrealistic, it is also unnecessary. You don’t need 100% security – even if it was possible, what you need is security ENOUGH. Fraudsters are lazy, if you’re too difficult to breach or the benefit of gaining access is limited compared to the effort taken to achieve the breach they will move on, so just ‘build your fence’ higher than your competition. From what I’ve seen in the 15 years I’ve been consulting across the globe, this should not be too difficult.

The calculation you have to make is this:

Cost of Security > Value of Data = do what you can afford and no more, Cost of Security < Value of Data = do it, but do only as much as makes sense.

So what process magically gives you the answers to this equation? Easy, Risk Assessment, one of the most basic tenets of a security program done well, and one of the most under-utilised business tools in every organisation I’ve helped. A risk assessment process performed appropriately will tell you what you’re not doing well, how to fix it, AND how much to spend on doing so.

But I digress.

I do empathise with organisations and individuals trying to sell security. It’s tough, but that’s no excuse for organisations extending the truth about their products, and if they claim 100% security that IS what they are doing. They have a responsibility to their customers, and whether they like it or not, and whether they ARE or not, they often are the expert in the room. Customers are looking for help and it is up to vendors to provide what they NEED and not necessarily what they asked for.

The credibility of providers of information security services and products is inextricably linked to integrity. Integrity is a form of currency, to be invested in or spent on quick wins. Only one of these has a long-term future.

If you’re a buyer of security services, you have as much responsibility as the seller to buy only what you need. YOU must ask the right questions, and the only way you can do that is to either do your homework, or hire someone to do it for you. Never expect a salesperson to think twice about giving you what you ask for, then charging you again for providing what you should have asked for in the first place. This scope creep is your fault as much as theirs.

If you want to know how to sell security with integrity, at least from my perspective, read this How to Sell Security.


David Froud, Head of Compliance and Risk, MYPINPAD