Elizabeth Holmes: Wake-Up Call for Shady Cybersecurity Vendors
This week’s guilty verdict for disgraced Theranos CEO Elizabeth Holmes sent reverberations through Silicon Valley, where “fake it till you make it” was a mantra for decades. When “faking it” includes misleading investors, board members, employees, or customers there is now a real risk of jail time.
Cybersecurity start-ups sprouted like mushrooms across Silicon Valley in recent years as venture capitalists react to a drumbeat of security breaches in the media. Most established cybersecurity providers offer trustworthy products and services, but a few vendors sell “snake oil” products that offer little or no real security protection.
There are ways to spot cybersecurity snake oil. Meaningless but impressive sounding marketing buzzwords like “military grade encryption” (or worse yet, “secret proprietary encryption”) are a red flag. Silver bullet solutions that seem too easy or unrealistically effective are another. Anything claiming to be “unbreakable” or “100% secure” is hype at best. Solutions that claim to use “AI” or “blockchain” to magically solve security problems should be met with skepticism.
Most security snake oil vendors target business customers, but there are some consumers should watch out for. The recent explosion of virtual private network (VPN) products is an example. While they do no harm, most of them provide little meaningful security in today’s HTTPS Everywhere world. Another example is secure messaging apps – many are genuinely secure, but some are not.
Buyers of weak security products get a false sense of security that can lead them to unwise risk taking, or expose them to threats they mistakenly believed they didn’t need to worry about. “I’ve got the Acme Magic Firewall, so I don’t need antivirus.”
Selling ineffective cybersecurity solutions is not a victimless crime. People depend on security providers to protect their most important assets. Hopefully leaders of security vendors who are “faking it” will learn a lesson from Elizabeth Holmes: If a tech company sells snake oil, the legal system may come after the company’s executives personally.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.