1/ Alright. InfoSec Industry. Mainstream media.
It's time we sit down and have a serious chat.
Almost all your stats and claims are bullshit.
Yes, it's rant time.
Yes, I'm using the patronizing filter, sorry.
My patient filter is all out of batteries.
It's time we sit down and have a serious chat.
Almost all your stats and claims are bullshit.
Yes, it's rant time.
Yes, I'm using the patronizing filter, sorry.
My patient filter is all out of batteries.
2/ Breaches are bad. We can agree on this. They're disruptive. They're expensive. They can have a negative impact on reputation (mostly when handled badly).
They're not destroying companies at a horrifying rate, or any rate we can calculate.
They're not destroying companies at a horrifying rate, or any rate we can calculate.
3/ Certainly, we're not seeing 500,000 small businesses going out of business because of a breach. Or 60% of SMBs every year.
Businesses are going to fail because there are already 100 other cupcake shops in the same neighborhood.
Businesses are going to fail because there are already 100 other cupcake shops in the same neighborhood.
4/ In fact, after years of digging, my list of companies destroyed by a cyber incident or breach remains at *six*. Code Spaces, CardSystems, OnlyHonest, Mt. Gox & co, DigiNotar and Ashley Madison. Believe it or not, HackingTeam appears to have recovered.
5/ We're not going to see 6 Trillion Dollars in cyber-armageddon losses or anything remotely approaching the median GDP of the European Union. Breach per record isn't over $200 or remotely approaching that. csoonline.com/article/311046…
6/ Even if you include all the open positions for MSSP SOC monkeys, there's nothing even close to 1 or 2 million unfilled cybersecurity jobs, now or anytime soon.
7/ Yes, there's a talent shortage, but EVEN IF WE FILLED all these positions with qualified people, our problems would be far from solved. In fact, I think that many of the open security positions exist BECAUSE of issues caused by the security industry itself. Self-inflicted.
8/ Most of these bad stats and hyperbole can be traced down to three sources: Ponemon, CyberSecurity Ventures, and Symantec.
We're talking about a just a handful of individuals responsible for all these "statistics".
csoonline.com/article/315370…
We're talking about a just a handful of individuals responsible for all these "statistics".
csoonline.com/article/315370…
9/ And then thank the mainstream media for having someone hold their beers and misquoting these 'stats' into oblivion (there are a few that actually call to consult with experts and data scientists before publishing - you know who you are).
10/ Is it ethically terrible to overstate statistics when a situation is clearly in a worsening state? Well, at worst, it's focusing cybersecurity's already challenged and overstretched resources in the wrong places.
11/ So I'm not going to complain without throwing out some guidelines and recommendations that I think might help address these issues.
12/ When using statistics, please:
- Cite your sources
- Publish source data whenever possible, or at least make it available upon request
- Put data in the correct context
- Cite your sources
- Publish source data whenever possible, or at least make it available upon request
- Put data in the correct context
13/ (Continued) When using statistics, please:
- State your sample size. If you don't want to because it's n=12, maybe you shouldn't be using it.
- Make sure you've interpreted the stats correctly! When in doubt, ask an expert - many are willing to check your work for free.
- State your sample size. If you don't want to because it's n=12, maybe you shouldn't be using it.
- Make sure you've interpreted the stats correctly! When in doubt, ask an expert - many are willing to check your work for free.
14/ (Continued) When using statistics, please:
- Most importantly, validate before sharing or publishing! There's no CTRL+Z for the Internet. I've been guilty of this myself - watching my own bullshit tweet go viral, as if just to mock my shitty mistake.
- Most importantly, validate before sharing or publishing! There's no CTRL+Z for the Internet. I've been guilty of this myself - watching my own bullshit tweet go viral, as if just to mock my shitty mistake.
/15 Finally, you CAN make a story sound exciting, compelling and important without overstating the facts or making up stats.
Don't do it for me, do it for our data scientists. Make it so that they don't have to turn to drink whenever they see bad stats. /END
Don't do it for me, do it for our data scientists. Make it so that they don't have to turn to drink whenever they see bad stats. /END
