We Need More Snoods!
Ask yourself – when was the most recent time you read a technology news article, walked past a conference stand, or saw a billboard loudly advertising “advanced AI capabilities” and inwardly groaned? Oh look, another one.
A running joke in the information technology world is the nearly annual cycle of new buzzwords and catch-phrases, that seem to captivate marketers, journalists, consulting firms, and new startups alike.
Terms such as cloud, blockchain, devops, agile, web 3.0, zero trust, quantum/post-quantum cryptography, supply chain, and most recently, artificial intelligence have dominated recent discussions around information technology. This is nothing new. Web 2.0, PKI, e-commerce, virtualization, big data, gamification, and many more sector- and technology-specific terms, are familiar to anyone involved with the global tech industry in the past thirty years.
Most of these represent legitimate concepts. When one or the other fades out of prominence, it does not mean that it goes away; rather, there is a high degree of probability that the technologies or processes it describes have become a mainstream, integral part of the IT ecosystem.
Unfortunately, buzzwords and the enthusiastic reaction they often generate bear real and significant risks. Whether you are an information security professional, a purchasing manager, CIO, entrepreneur, or investor, you should be aware of these – so that you can ensure neither your security maturity nor your financial bottom line suffer from an excessive focus on trendy ideas.
In this post I take an exceptionally over-simplified, anecdotally formed look at how excessively focusing on over-popularized concepts can negatively impact innovation and responsiveness in an increasingly complex information security landscape – and counter-intuitively, hurt competition.
Buzzword-Chasing Hurts Companies
Vendors and consultants often naturally focus on what customers want. If artificial intelligence is constantly in the news as the current Big Thing, it is understandable for C-level executives to ask themselves whether it will solve all their problems. If you are familiar with the tired, disproven phrase “nobody ever got fired for buying IBM” (or whichever brand you want to insert here), buzzword-focus is a similar phenomenon. After all, if a given topic is omnipresent, who can fault a CTO or CISO for confiding in a seller promising ROI from what all the other cool kids are doing, right?
Their successor, that’s who. Despite increasing regulatory pressure, cybersecurity budgets remain tight – inevitable for what is still a major cost and a frequent obstacle for business innovation. CISOs’ resources for proof-of-concept implementations are limited, making it difficult to identify quality providers in packed industries. Word of mouth in closed trust groups helps, but only goes so far, and it allows for little flexibility when the CEO and CFO ask, why are you not investing in <insert Big Thing here>? After all, this report from Big Consultancy Inc. claims Big Thing is vital to the modern organization.
I am a firm believer that large companies should invest in risky early-stage technologies – better to drop €50k on a seed-stage startup and help shape their development, than to buy a license 5 years down the line for a multiple of that. It’s a great investment, and helps everyone. However, focusing on fashionable technology projects can eat up budget, and hamstring security departments for years, potentially impacting other, more basic operational requirements – not to mention reducing a firm’s flexibility to invest in more forward-looking, green-field projects.
Startups and Investors All Suffer
Next, investors – venture capital, private equity, and others – can have very limited due diligence capabilities, and will generally rather focus on what promises returns in the short run rather than long-term viability. This means that investors, whose expertise tends to be more in finance and management, and who frequently rely on a small number of often younger, less experienced analysts, can receive a skewed view of what are “good” technologies to invest in.
The resulting “bandwagon” effect means that currently prominent technologies become crowded, with solid companies pursuing less superficially attractive solutions can become overlooked and starved of funding and clients. It should not be necessary to explain what happens to the likelihood of a successful exit when every investor is chasing the same part of the market.
Worse, those few truly promising firms in packed fields struggle to get their message out – something I have seen first hand with numerous clients. It is a frustrating experience for any consultant working with a promising, smart, motivated firm whose quality stands out above the crowd, just to be met with rolled eyes from CISOs. Oh, good, another company claiming AI somethingorother. When the sheer volume of low-quality competition paying lip service to an idea currently in vogue stifles the ability of strong, promising actors to even get a chance, industry suffers from lack of access to genuinely robust products and services to meet their future needs.
I mention AI because it is (still) the most modish current example of such buzzword-focus, and promises to remain so for some time. I am not in any way claiming that artificial intelligence is just a buzzword. It is a collection of incredibly promising, fascinating technologies, being developed by many highly intelligent people. Like the web, the Internet, and the PC before it, AI and its various capabilities will revolutionize many aspects of how we work with technology, the threats we face, and how we prepare for and defend against them – in the information security arena and beyond.
However, this is a call to action to those in a position to look beyond hype, and ensure that more boring, bread-and-butter technologies are not overlooked. One of the ever-repeated concepts in my business school was the “blue ocean/red ocean” strategy – a fancy way of saying “go where everyone else isn’t”.
How Can We Fix This?
I do not expect this message to resonate with vendors. Those who are respectable subject matter experts in any given currently-popular field are unfortunate victims of circumstance, and I only hope that the quality of their work will inevitably speak for itself and help them to succeed. As for the rest – it’s to be expected that vendors go after customer dollars.
The same goes for journalists. In an ideal world, a tech journalist would report not only on what sells subscriptions and views. In an attention-driven economy where views-driven advertising budget can displace opportunities for writing about truly relevant tech issues, it’s fathomable that a publication would rather focus on something attention-getting in line with current trends.
Likewise, while information security leaders mostly have the tools and information to understand what their real needs are, and who is a reliable partner in a congested sector, but they often fall victim to management demands beyond their control.
Those who can make a difference are a) investors and b) senior corporate leadership. Even as less exciting, more stolid technologies become increasingly commoditized and automated, there is important and top-notch work being done by companies focused on less sexy topics – IoT device patching, network security monitoring, legacy code patching…the list is very long.
Senior management should always rely on the CISO and their team for guidance on what their organization’s current information security technology needs are, and not the other way around. As the CISO increasingly becomes a business aligned function, it’s legitimate to expect those who hold the role to have a firm understanding of business needs, abilities, and resources. This will help companies focus on those technologies that are truly relevant.
It’s About Money, Stupid
Maybe more importantly, investors have a major and often-overlooked role to play in ensuring that “boring”, important topics get the attention they need. Most venture capitalists probably don’t care what they invest in, as long as there’s a good promise of return. That is fine – they are in business to make money.
As an investor, ask yourself – where will I make more money? In a jam-packed area where funding is pursuing a few great companies, with resulting exorbitant term sheets (leaving many with the dregs)? Or rather, with entrepreneurs who know that the best way to make money in a gold rush is to sell shovels?