After finishing yet another consulting call with a customer who moaned about their cyber security provider, but then refused to do anything about it, I started thinking about why this happens…often. Why is it that there are so many horror stories coming out of the infosec industry? Why do so many CISO’s and SOC analysts whine about their fancy UBA system being ‘pretty but utterly useless” or their log aggregator being “missold to them as a SIEM”, but then they follow them on social media, attend their events and most bizarrely, wear their T-shirts!
Honestly who knows, this is when it clicked. Everyone has vendor induced Stockholm Syndrome! It sounds bonkers, but hear me out…
What is Stockholm Syndrome?
The term was coined after a bank robbery in Stockholm (obviously), where Jan-Erik Olsson kept 4 hostages. After police intervention, all hostages and Olsson were removed unharmed, yet none of them wanted to testify against Olsson, as they had bonded with their captor.
For more information, search “Norrmalmstorg robbery“.
The phrase ‘Stockholm Syndrome’ is now referred to the coping mechanism when in a captive/hostage situation. It is a psychological response that the hostage has, which causes them to sympathise with their captor, and develop positive feelings for them. I promise, I will get on to how this relates to cyber security soon.
So How Does Stockholm Syndrome Occur?
For Stockholm Syndrome to occur, certain criteria must be met.
1. The victim must feel threatened, extremely threatened, ie, risk to life
2. Abuser shows a small act of kindness after a prolonged period of no kindness. For example: being given food, or a toilet break after a prolonged period of time going without basic human needs.
3. Victim must be isolated from a third party perspective. For example they’ll have no outside information or connection to the outside world.
4. Victims must feel they are unable to escape, or trying to do so is futile.
What Has This Actually Got to Do with the Industry?
Is Cyber Security Stockholm Syndrome a Thing?
I’m so glad you asked…
Point 1, the victim must feel threatened. Companies are now being told that cyber-attacks are imminent. If they don’t get a certain tool or buy certain services they “WILL” lose their reputation, pay fines and lose customers. Therefore, security companies selling the tools and services will charge whatever they please. This fear-driven decision-making puts the vendor in control of the market. With the presence of large-scale cyber attacks in the media, comes a lot of fear selling and a lot of panic buying.
Cyber Attacks & Fear Selling – Companies like Sony, Target, Yahoo, Aon, EasyJet aren’t poor companies, yet they were still compromised. How much you spend does not determine your defence maturity. Throwing money at a problem to render its success is a misconception, as many companies think that buying the Gartner list up will make them more secure. Without a strategic approach to cyber defence buying, making a tangible difference that results in an increased defence maturity is unlikely to happen, regardless of how much you spend and where.
Point 2, the abuser shows a small act of kindness after a prolonged period of no kindness.
Now, if you are a CISO or decision maker, you may have experienced harassing calls, some even aggressive. Or maybe companies with great reputations who are completely messing you around, with misleading selling and murky delineation of responsibilities… the list goes on.
Let’s imagine the company you are currently having a bad experience with, now decides to give you an offer, discount, extras or freebies of some sort. I’d argue that if they can simply knock £15k off of the sale price to keep you interested then maybe, just maybe, their product should have been £15k cheaper in the first place?
Discounts, Limited-Time Offers etc – Maybe you see getting 3 large glasses of wine for the price of 2 as a good deal, and it is no doubt sold to you as such, but if the bottle is worth less than the price of 1 glass and the service is poor why would you not explore other avenues to get what you want? Sales, deals and enticing reductions in price just for you are rarely what they seem. You already know this.
Point 3, the victim must be isolated from a 3rd party perspective.
Cyber security is an echo chamber, regardless of the platform you use. Whether it is social media, conferences etc; infosec folk tend to stick amongst themselves, I’m very much guilty of this too. This includes the IT engineers or developers that attend cyber security conferences and digital spaces. It’s a nice place to be but it is a vacuum of opinions and habits. Key decision makers (CISO’s and Heads of IT) must be careful not to end up in an echo chamber of security “experts’ ‘ (salespeople) telling them what to buy and what’s on trend.
Cyber Security is an Echo Chamber – Yes it is. Anyone who has any interest and follows the cyber security industry, regardless of the role, is part of the echo chamber. So you will have limited educated insight to that third party perspective, but you can use that to your advantage. If you are a decision maker and you are receiving bad service, make it known within your circle. The industry talks and this can mean positive changes in the future, stop tolerating bad behaviour.
Point 4, victims must feel they are unable to escape, or trying to is futile. Companies are strangled by regulation and fear, this happens regardless of which vendor you go with, or how much cash you spend.
I have heard so many horror stories over the years, yet companies continue to stay with the ones who have treated them badly = Cyber Security Stockholm Syndrome. But I understand that cyber security is necessary, although expensive and the results intangible. Knowing how to navigate that in a saturated market isn’t easy.
Companies Are Strangled by Regulation and Fear – If your business is dependent on regulation in order to survive and pass audits, you will feel strangled by it. This is regardless of the price you pay, the vendor you go to or the amount of resources you throw at the problem.
So…. Why are you tolerating Cyber Security Stockholm Syndrome?
The bigger question is why are you complaining to someone at th4ts3cur1ty.company about this and then wearing a branded T-shirt for the other company?
This is all quite concerning, hence why the comparison to Stockholm Syndrome.
