Category: Marketing

Be an InfoSec Berean

Be an InfoSec Berean

In the Bible (no, this is not a sermon – yes, this is InfoSec relevant), there was this group that Paul ran into called the Berean Jews. (Acts 17:10-15 if you want to look it up). These Bereans were shown in the scriptures to be diligent people who checked the facts. Verse 11 says:

Now the Berean Jews were of more noble character than those in Thessalonica, for they received the message with great eagerness and examined the Scriptures every day to see if what Paul said was true. (emphasis added)

So basically, the Bereans were not going to accept anything at face value. They immediately went back to scripture and checked out to see if what Paul was saying was true, and then they made up their minds.

Now what got me thinking about this particular group and how it applied to InfoSec was the article at Infosec Island by Scot Terban entitled “Infosec: The World’s Largest Rube Goldberg Device”. Scot has some pointed things to say about the different vendors and “experts” selling they toys and wares in the industry, and his points are good. But this theme has been in InfoSec (and other industry) blogs since I started reading them (I have written a few myself): do not fall for the sales pitch and the marketing.

This is just good common sense, right?Then why in the name of Mordor do we have to keep saying this? Is this for the benefit of the new folks in the industry? Is this because people just like a good rant session? Is it because someone STILL has not learned this lesson? Is it because there are a lot of lazy folks out there?

Now I am not hitting Scot here. I have zero problem with writing the post (and in fact, his overall theme was not about this really at all). It just struck me that if you have to be reminded to be an “InfoSec Berean” when the sales person calls or when you read an article comparing different technologies, then you are wrong. No, we don’t have a convenient set of scriptures to go to (except for NIST or something like that, which Scot points out). This is more about doing your due diligence to prove or disprove claims made by sales or marketing. Get some documentation. Get some references. Do a proof of concept (not always practical, I know). Make sure there is proof of the claims. Don’t accept it at face value, just like the Berean Jews.

And, in my finest adult-preachin-at-you voice, don’t make me tell you again!


Doubting Security Marketing from The Shimel??

Doubting Security Marketing from The Shimel??

OK, Armageddon is officially here.  Alan Shimel has made the comment that security marketing might not be "worth the paper it is written on".  Holy crap.

Though I am just having some fun with Alan, this still makes me wonder if the comments from Greg Ness (quoted in Alan’s post) are right.  Are the days of "entrapment marketing" over?  I am not in the position of getting a thousand calls everyday as a security manager anymore, but I do see a lot of those whitepapers still out there.  I still get a lot of email asking me to download them.  But Greg is also right that social media is taking over a lot for this.  That is why I created a talk / presentation where I talk about how to use security blogs as research tools.

Marketers MUST recognize this trend.  I still see a lot of old school marketers out there trying the old ways.  These people are either not adaptable, or they just have been under a rock for the last few years.  I get too much info on new products and trends from blogs for it to be worthwhile to download whitepapers that some vendor wrote.  Just doesn’t make sense.

Thanks for the post, Alan.  I am in Heaven! 🙂