Term-confusion in cybersecurity
Next steps in crowdsourced security
Why all of this matters
Are you making a Walkman? Or an iPod?
When the walkman was introduced, it created a category. It's brand also became the term of description for that category. Co-opting a use-case with a product term is common practice and oftentimes is a smart marketing decision, but it becomes problematic in the transition between the specific product (e.g. a portable music device that plays cassette tapes) and the general use-case which the category serves (e.g. a portable music device).
When the CD came out, Sony struggled for a time to disambiguate the Walkman from the Discman. I still remember the frustration in explaining that "You need an iPhone if you want a phone, but you don't also need an iPod if you want an iPod'" to my grandmother, but given she already had an iPhone this conversation was a lot easier... I'll come back to that in a bit.
Words, damned words, and category creation.
Security suffers this problem early and more confusingly than most sectors, because the nature of the problems we're trying to solve are in a continuous state of discovery and innovation i.e. we fix things, people build new things, and the bad guys come up with new things.
Some security examples of this ambiguity, according to the people who consume and use the services:
- Used to mean: Emulation of an adversary with a specific starting point, and a specific set of goals.
- Turned into: Security assessment where exploitability is confirmed by a human operator (Thanks PCI DSS).
- Now means: Any dynamic security assessment that is conducted in private, involves a person, with or without delivery against a methodology, and with or without the delivery of a report.
bug bounty (n)
- Used to mean: Rewarding vulnerability finders with cash or a cash equivalent.
- Turned into: Incentivizing the vulnerability finders to test for and report vulnerabilities to your company.
- Now means: Any security assessment involving people who don't work for a pentest company.
vulnerability disclosure program (n)
- Used to mean: The to intake and coordinate vulnerability information received from people outside of your organization (finder to vendor disclosure), and the planned sharing of vulnerability information to affected parties once the vulnerability is remediated (vendor to customer disclosure).
- Turned into: A bug bounty without rewards.
- Now means: Inviting, or even requesting, anyone on the Internet to test your organization for vulnerabilities and submit them to you.
My take, based on 20 years of working in security (most of either delivering, managing, or conducting security assessment), is that the things words meant 20 years ago in my space is very different to how those words are used today.
Ok, now what?
If "crowdsourced security" (or a better branded analogy at the same level of abstraction) is a declared category, what are the disambiguated lanes for each of the existing products, according to the market's definition? Where do each of these three things land in terms of the market definition?
Here's where I see it landing, based on a combination of existing historical definitions, the incentives on the buyer, and the competitive incentives of the various players servicing these spaces:
- pentesting: The PCI DSS definition rolls on. Pentesting is vulnerability and risk discovery in a manner that resembles the behavior of a human adversary. It's distinguishing feature is that it is conducted privately. Reports, adherence to methodology, and features like VPNs and access control are category options which are frequently featured in this use-case, and there is no prescription on the way people are engaged, as long as it's clearly understood that the work is to be done privately.
- bug bounty: Defensive vulnerability acquisition. This is going back to its original definition as a public crowdsourced vulnerability discovery program (with a private training period if required) where finders are encouraged to conduct security testing and rewarded if they are the first to find a unique issue.
- vulnerability disclosure: The ability for companies to receive security feedback from the internet (per ISO 29147), and coordinate their response (per ISO 30111). In the process, this will be disambiguated from "bug bounty" where cash or cash equivalent provides the incentive to test and report on relevant vulnerability information, not just the ability to receive input and mitigate.
Why is this important now?
- The term of definition in a new category nearly always contains the expertise and planning of the original design, with the future resilience of the solution in mind. The Discman wasn't called the Discman to disambiguate CDs - it was because CD's and jogging don't mix.
- The market will buy and consume the thing they think is most likely to solve their problem mostly based on their association of the term most commonly used by their peers. If marketing and term co-opting causes drift in that definition, it becomes very easy for a category to fail purely because the expectation for value is based around something the product wasn't meant to do (or, even worse, in a way that undersells it's core strength).
The Walkman department of Sony did pretty well as a business, but Apple did much, much better.