Hello,
It’s easy to get caught up in the chivalric vision of cybersecurity; it’s one that pervades the industry and has for…oh, well, ever. More than a decade ago I attended a lavish cyber conference where the drinks (mine was an iced tea, in case Karen asks) were served on coasters in the conference organizer’s company colors bearing the words “We’re here to save the world.” While the coasters were objets d’art in and of themselves, the six-syllable message was breathtakingly powerful. It was empowering. It was motivating. It was every reason I’d gotten into cybersecurity in the first place.
The message also embodied the dichotomy faced by the cybersecurity industry. The word industry, in this sense, refers to a set of companies or organizations that engage in similar business activities. Within each company there are a group of people with leadership and management responsibilities. (The two are not the same.) That leadership group has a set of fiduciary responsibilities that involve acting in the best interests of the company and its shareholders. This is often understood as a duty to take actions that legally and ethically maximize shareholder value, regardless of personal perspective and belief.
And therein lies the rub. You come in with a belief that working within a cybersecurity company magically transforms you into St. George astride his noble keyboard. I mean, steed, ready to slay the hacker dragons. And once in the door, the cold water of the company’s need to turn a profit and increase the share price hits you in the face. This ever-present tension leads to some interesting outcomes that may indeed make the company more valuable but may not result in improved cybersecurity outcomes.
For example, another cybersecurity industry trade publication recently highlighted a company’s efforts to integrate new post-quantum cryptography (PQC) into its products and services. The article was entirely complimentary; after all, who could argue with the idea of being proactive with respect to mitigating the security risks posed by quantum computing? The problem was that the article elided the larger, and potentially existential, issue of communication. Specifically, integrating new cryptographic primitives is important, but the integration of those primitives into standardized protocols is essential. So much so that absent the near-concurrent development, standardization, and proliferation of protocols, reliable communication becomes impossible, and the primitives lose value. The article’s implication was that the company had prioritized primitives over protocols.
That being said, proactivity and the perception of proactivity are an important part of maximizing shareholder value, even if sometimes it doesn’t lead directly to the ultimate solution. The key for the cybersecurity industry is to be honest with ourselves about which activities are about company value, which are about ultimate solutions, where they coincide, and where they don’t. Long term success is about maximizing the overlap between solutions and shareholders whenever possible.
Build it right, America.
Adam Firestone
Editor-in-Chief
Leave a Comment