Originally published on LinkedIn · January 18, 2018.
Normal disclaimers apply — these are my words/views and not the views of anyone else, trust me, I’m the only weirdo that is saddened by this stuff. I am far from perfect in my writing, ask me about my red pen problem, so self-reflection happens often.
As many of you know, I love secret shopping security firms along with collecting 100’s of the craziest security/audit/fraud claims in security companies literature/pitches over many years. The Milky Way-size gap between high integrity security professionals, lawyers, and marketing people continues to amaze me.
Each year, I hope to wake up with my hobby all dried up. But ah, 2018 has started out with a real treat. I got the ad about what appears to be a new “cloud company”. After much research, they have respectfully been around and appear to have good senior leadership with some good security experience…..BUT…..the name of the company is completely irrelevant as with the 100’s of other examples I have collected.
According to some very basic reading of my newest victim’s website and high level of research on LinkedIn here are some interesting claims (I normally only find one per company, so this one really made my day):
“The First Totally Secure Cloud Company”
“Totally Secure” — Wow, sign me up. I think “totally” would equate to being able to prevent ANY type of physical, environmental, cyber, insider, outsider or supplier from ANY vector…. EMP anyone? Cut fiber anyone? Bad configuration anyone? Yikes, you mean there was a new patch today. Strike One.
“Cloud Security That Protects Against One Thing…. Every Thing”
“Every Thing” — Wow, wow, add on another year to my contract, please. I think my English teacher taught me that “everything” means “everything”, in 1st grade.
“Analyzes 100,000,000,000+ events per month” — okay, sounds good so far — but potential customer please understand that analyzing doesn’t equal taking action…. wait for it.
But they also “Automatically Block 99.99999% of security events” — Math time. That then means ~10,000 “security events” aren’t blocked per month. What happens to them then? Uh, potential customer, that means these events get to the target and breach something…. so with “1,200” customer “environments”, pretty good odds you will be breached…. like normal cloud provider customers do every day.
But of course, their leadership in a video on their website also says: “at the end of the day you can’t stop everything” — where have I heard that word “everything” before?
“The [malicious] things that come in, you can get it off the machines” — So that means my machine can still get breached…. but—
But don’t worry, we have a “99% protection rate” — Uh, I thought you said you “Block 99.99999% of security events” — so “protection rate” is different from “block”? I hope your customers understand the difference. More math: if 99% of the security events get “protected”, are the other 1% successful?
“5000 security incidents managed yearly” — Assuming that this isn’t all professional services (~211 staff all doing incident management would mean each employee would be managing 23 incidents per year, even the receptionist.) So is this 5000 incidents part of the 10,000 mentioned above or the 99% protection rate…. but—
“instantly…. recover from cyber threats” — in my experience “instantly” means, like now, not in 5 minutes. Oh, wait — I just re-read that…. they said “threat”. How do you “recover” from a “threat”? I thought you recover from a breach. Missed that one… my bad…
A Basic LinkedIn Credential Check
Now, obviously I am a fan of LinkedIn and hope that everyone on LinkedIn keeps their profile up to date and is proud of their accomplishments, especially my security peers. So let’s do a very basic search on the security credentials of this wonderful supplier/vendor that supports “1,200 customer ENVIRONMENTS”:
- <5% of their staff appear to have an industry-leading CISSP Certification
- 0% of their staff appear to have an industry-leading CPP Certification
- 0% of their staff appear to have an industry-leading PSP Certification
- 0% of their staff appear to have an industry-leading CFE Certification
- 1% of their staff appear to have an industry-leading CISA Certification
Please Stop
I could go on and on with more evidence of the complete disconnect between the amazing security professionals, the lawyers, and the marketing people at this and so many other suppliers/vendors that think they can get away with making such claims.
PLEASE STOP. One of these days, somebody with critical infrastructure is going to drink your Koolaid and something is going to happen and someone is going to DIE. PLEASE STOP. Adopt a view of absolute integrity in advertising.
I hope the security professionals of this company listen to my “professional heart”, because I know they have a hard job, but I beg them to do everything in their power to get their executives and board to bring down their advertising/website and rethink these claims today. It is a complete embarrassment to your fine organization and unfortunately many elements of our hard-fought industry.
But remember Mr./Ms. Customer, this is “The First Totally Secure Cloud Company.”