The Blog

Security Witchcraft And Voodoo

Many people were this week startled by reports that GCHQ technical director Dr Ian Levy had apparently claimed that security firms exaggerated the threat posed by hackers to promote the services they offer, and to sell more hardware.

The stories arise from a speech Dr Levy gave at the recent Enigma 2017 conference and since he is the GCHQ Technical Director for Cybersecurity and Resilience, responsible for the technical strategy and content of GCHQ's security mission, his comments got a lot of attention.

But let's take a look at what Dr Levy actually said and whether there is some justification in his reported comments.

Unfortunately is it probably true that the security industry has suffered from a sort of 'spray and pray marketing' where hype and exaggeration of the threats posed by the 'spooky dark web' or the latest 'biggest threat' is not helping anyone and is in effect damaging our industry and confusing businesses.

Of course we don't want to get into the situation where we as an industry 'cry wolf' so much that when we actually need to be heard, we are ignored as hyping and exaggerating the threat.

The ability to prioritise and focus on the threats that do really matter is at the heart of a successful cybersecurity defences for our governments and businesses. Shouting about every minor incident or new theoretical threat does not help the poor, under resourced security teams struggling to manage the risks and ensure their businesses continue to operate smoothly without threats to their IP, customer data or other critical information.

Focus and targeted defences, based on rock solid intelligence is critical to making their lives easier, and confusing them with more fear and uncertainty will not help.

But while in many ways Dr Levy's comments were taken out of context - I know I spoke with him this week at another event -the sentiment was correct.

We need to get back to a sensible fact-driven debate, and not some sort of arms race of claiming the new worst cyber threat out there. The fact is the problem presented by cybercrime is massive and growing fast and that innovative new vendors are needed and should be encouraged.

As Dr Levy says, most attackers are not that sophisticated. But they are only as sophisticated as they need to be to succeed. So we as an industry need to help raise the bar and increase our own skills and professionalism to counteract them effectively.

We see examples all the time of companies exposing themselves online through accident and misadventure, leaving data exposed without the hackers having to do anything clever to get it.

So I applaud Dr Levy raising this issue and welcome some more mature fact-based conversations on the very real threats posed by professional cybercrime gangs.