By: Michelle Schafer, Vice President at Merritt Group

After being in cybersecurity marketing and PR for 13 years, I’ve seen a bit of a “hype cycle” during my career in how the media cover certain security trends, technologies and threats. These days, it’s less about actual security products and technologies that solve the threats, but more about the latest nation state threat or attribution report that reveals a new cybercrime gang dishing up advanced malware in Russia or China. From Operation Aurora to Heartbleed to POODLE to Carbanak Gang (and everything in between), I feel like I’ve seen it all. But are those hyped up threats and news headlines really helping security pros do their jobs any better? 

This Summer, I teamed up with Tim Wilson, the Editor of DarkReading, to give a talk at RVASec, Richmond, Virginia’s top security show, to explore this very question. Our presentation, The Changing Mind of the Security Pro — How Hype and Media Shape Infosec Priorities was well attended — it’s actually the second time we’ve presented at this show on this topic so I’m guessing they like us! 🙂 

The premise of our talk is that it’s very difficult for security professionals today to have clear priorities when there’s a storm of news reports, vulnerability disclosures and other hyped up security threats in the media. It becomes a bit chaotic and confusing at times, when threats are so often over-hyped in our industry. It begs the question: do security professionals lose sight of what is most important to do their jobs effectively? Are they patching a critical Windows vulnerability or worrying about APT28 (aka Fancy Bear)? 

We kicked off our talk exploring a Black Hat survey of 250 of infosec pros that laid out the top concerns of security pros, which topics they felt were overhyped and underhyped and sources where they thrust to get good information. The findings reported that the top concerns included: 

  • Phishing/social engineering 46%
  • Sophisticated and targeted attacks 43%
  • Vulnerabilities introduced by internally-developed apps 20%
  • Data theft/sabotage by malicious insiders 16%
  • Espionage/surveillance by foreign governments 15%
  • Polymorphic malware 15%
  • Accidental data leaks 15%
  • Ransomware 13%

And when asked which issues they felt were overhyped, they responded:  

  • Government surveillance 36%
  • Espionage by foreign governments 26%
  • Hacktivists 24%
  • Ransomware 23%
  • Internet of Things security 21%
  • Sophisticated and targeted attacks 20%
  • Phishing/social engineering 11%
  • Mobile threats 10%

And finally, when asked which issues were under-hyped and needed more attention, they responded: 

  • Accidental data leaks 23%
  • Phishing/social engineering 19%
  • Government surveillance 17%
  • Vulnerabilities in off-the-shelf apps 17%
  • Internet of Things security 17%
  • Vulnerabilities in in-house developed apps 16%
  • Espionage/surveillance by foreign governments 15%
  • Sophisticated and targeted attacks 10%

Note that phishing/social engineering and sophisticated/targeted attacks were listed in all three categories: they are top concerns that are overhyped and under-hyped. Clearly, it’s a bit confusing! Ransomware is also another topic that made major headlines this year, which explains why some think it is an overhyped topic. 

The survey also asked the respondents about their primary sources for the most reliable information. They said they mainly get information from security blogs (71%), IT news media (70%), conferences (68%), colleagues (56%), vulnerability sites like US CERT (51%), social media (49%), Google/search engines (47%), professional associations (39%) and mainstream media (19%). 

Looking at the data and how the media has covered the threat landscape over the years, the big takeaways included: 

  • What’s in the media doesn’t always match the security pro’s priorities; the media focuses on the new and the “info sexy”; 
  • The “most reliable” data sources overhype some things and under-hype others; and 
  • The “most reliable” sources can be influenced by many factors.

But let’s face it, hype equals widely read news headlines and that just means PR pros and journalists are only doing their jobs. At the end of the day, it’s really up to the security pros to determine their own priorities to get their jobs done – and really try not get distracted by all the crazy noise out there!