Adrian Sanabria, Director of Product Management at Tenchi Security, arrives at the Ranch this week to debunk cyber myths and expose industry lies. Using his background running Security Weekly Labs at Cyber Risk Alliance, Adrian explains the lack of cohesive product testing happening in the cyber world, and delves into the research he’s done to get to the bottom of cyber’s most elusive statistics. Do 60% of small businesses go out of business after a breach? Adrian has an answer that just might surprise you.
[00:00] Introducing Adrian and his journey with Cyber Risk Alliance
[06:47] Buying awards and lying about customers
[13:24] Finding the source of fake cyber statistics
[24:28] The lies of vulnerability management and security awareness training
[30:58] Explaining Adrian’s It’s Time to Kill the Pen Test talk
[40:41] Creating a money-making concept for debunking cyber myths
Thank you to our sponsor Axonius for bringing this episode to life! Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
Can you tell me about your product testing lab with Cyber Risk Alliance?
We often hear the startup motto of “fake it ‘til you make it,” but Adrian wasn’t aware of how pervasive that concept was in cyber until he began his work with 451 Security. After encountering numerous professionals that expressed complaints and confusion with products on the market, Adrian wanted to break into the world of product testing— and the Security Weekly Labs were born. With a focus on external attack surface management and network vulnerability scanners, Adrian sought to find the truth behind the product vendors were selling him— and what he discovered strongly influenced his future.
“When we talk about myths and lies, it's not just straight up lies, right? At some point, they're faking it till they make it, and they get to a point where it's just too late to turn back. And then, it starts to get a little bit more insidious.”
Are vendors going far enough to fake customers and awards?
Not only are vendors “faking it” in a startup sense, some vendors have gotten right to the point of lying about the awards they’ve received and the high profile customers they’ve worked with. Adrian explains that buying and lying about awards has become a common practice within the cyber world, where certain businesses have let the marketing of winning an award override the legitimacy of their own success. While some companies may ignorantly feel drawn in by meaningless awards, more insidious industry liars have already mastered pulling out their credit card to buy what they want to win
“You can actually even fill in the name of the category you want to win an award for, you can just make up your own category. You drop a credit card and they send you a trophy. Some of these fake awards even have award ceremonies.”
Where do these cybersecurity statistics come from, and how do we validate them?
60% of small businesses go out of business after a breach— but do they really? Adrian’s exposition of cyber lies leaves no stone unturned, even when it comes to mystery statistics. Where did these numbers come from, and why would millions of businesses be more impacted by security breaches than fraud? After interacting with statistics like this with a shocking frequency, Adrian has even taken to Twitter on numerous occasions to call out companies marketing with fake stats and reveal his own research findings.
“There are people that have just hinged their reputations and their careers on some of these myths…And it's not that companies don't get hurt by breaches, but it benefits no one to make up stats, or to push this narrative.”
Is it time to kill the pen test?
There’s a lot of things done in cyber that might not have a place for everyone. Pen testing is near the end of Adrian’s list, but he’s quick to point out that the pen test process needs to change. Unfortunately, the bulk of what any organization is paying for when they run a pen test are vulnerability scans and report paperwork. Explaining a concept he developed with his friend and co-founder Kyle at Savage Security, Adrian explains that the modern-day pen test needs to look more like purple teaming and focus on prioritizing what really needs to be fixed.
“A lot of companies have pen tests, because they don't know what else to do with their security budget. You could apply that more broadly. A lot of people have a security budget, and they buy what they see their peers buy and do what analysts tell them to do.”