Reflections on Blackhat 2018: Growing Uneasiness
Two key themes emerged from the discussions held at this year’s Blackhat conference – and they are reminiscent of a dangerous time in tech history
Returning from Blackhat 2018, Evolver Vice President Chip Block has written his thoughts on the conference, centering on the trends of increasing capital and some shortcomings in communication. From his LinkedIn article:
I noticed two key trends from Blackhat attendees in how we talk about ourselves as an industry. The trends are related, but distinct.
First, was how we talk about capital. As I went to events, visited vendor booths and attended parties, I began to hear an almost constant discussion about how much funding companies are receiving. “Who got their Series A? Who got another round of investment? Which private equity firm has added money to a company and who has recently been purchased?” As this topic moved across many discussions I couldn’t help thinking that I have been here before. The time was the late 1990s and we now call it the internet boom.
I can remember staying up for three days straight during the boom’s peak working to meet a software delivery deadline. As soon as we received payment, we watched the stock rise and reward all of us as shareholders. We weren’t necessarily motivated to build the best software. We just needed to make the deadline so that our stock price wasn’t negatively impacted.
As this topic moved across many discussions I couldn’t help thinking that I have been here before. The time was the late 1990s and we now call it the internet boom.
Don’t get me wrong. Investment is the engine that will provide the money needed for new technologies and new companies that will help turn the tide against cyber adversaries. My concern is that receiving funding, and the eventual sale or IPO, becomes the primary motivator of company actions. And in the cyber security industry, rushing a product or platform without prioritizing quality leads to risk for clients and the industry at large. My uneasiness may not be warranted, but it is there.
The second trend is a bit more tangible. As a community, we are really bad at communicating the value of what we do. When I asked companies about the value they provide, most gave me a list of clients, usually in very generic terms such as “a top 10 financial firm.” What was not communicated was the value received by those clients. I heard phrases like “we are monitoring 10,000 endpoints.” That sounds good, but how much better off is the client after your product deployment compared to before?
As most know, I am a major proponent of the Factor Analysis of Information Risk (FAIR) methodology for monetary quantification of risk. The model is quickly becoming the de facto standard for measuring risk in dollars and cents. I am hoping as FAIR becomes used across most companies, the conversation with vendors will more closely resemble “we reduced the clients annualized risks by 75 million by employing a new endpoint product.” Granted, this will put more accountability on companies to actually provide value, but that is a good thing in the long run.
You can read the full article here, and join the discussion on LinkedIn.
Evolver continues to apply its team of FAIR-certified cybersecurity analysts to organizations across various industries, including healthcare and financial services. Chip Block, himself a certified FAIR analyst, is the architect of Evolver’s Cyber Risk Ecosystem, an information security approach that directly ties cyber expenditures to core business functions.
- Whitepaper: Reflections on the SEC’s Cybersecurity Guidance: The Rise of the Investor in the Discussion
- SEC Filing Reveals Potential PHI Data Breach for Medical Device Company
- Webinar: Cyber & Law – It’s Really All About the Money
- FAIR Institute Webinar: Tips on SEC Cybersecurity Guidance