Through GDPR-tinted glasses
With this year's InfoSec Europe the last before GDPR's implementation, channel partners explain to Tom Wright how vendors gave their products a marketing makeover ahead of its implementation next May
Last month the rest of the world saw what the cybersecurity sector has been prophesising for years: a fast-spreading, global ransomware attack with no prejudice when it came to the organisations it targeted.
But although WannaCry was a hot topic at InfoSecurity Europe in London, it was however General Data Protection Regulation (GDPR) that was the focal point for the majority of conversations at the three-day event - the last before GDPR's 25 May 2018 implementation date. The fear of having your data held to ransom is apparently not as scary as the prospect of being fined a hefty chunk of your revenue for a data breach.
While an increasing awareness of GDPR will be seen as a good thing, channel partners who attended the event told CRN that the level of misrepresentation from a number of the vendors present was a step too far.
David Lannin, director of technology at security reseller Sapphire, said the marketing of some vendors reached the point of being misleading to end users.
"I think it's a case of vendors jumping on a bandwagon," he said.
"While some do have elements of the technology that can address it, some of the marketing I've read over the last couple of days has been fairly disgraceful.
"It's inappropriate and misleading to the market. I think a lot of marketing people think they're doing a good job, but it's not helpful when you have vendors that do a very small sliver of GDPR and yet their advertising seems to suggest it's a silver bullet, when it's quite clearly not. There's a lot of that going on and it's letting the vendors down."
Lannin said that accompanying this trend was a theme of end users arriving at the conference expecting to walk away with a GDPR solution that would have them completely covered - clearly misunderstanding how GDPR works.
"I spoke to quite a few delegates who went to InfoSec with the intention of trying to find out about GDPR, so I think the speculation by the vendors was warranted," he said.
"A couple of vendors I spoke to told me that customers were coming to their stand and saying ‘what have you got for GDPR?'
"But it's a standard that cannot be fixed just by throwing a single solution towards it. Perhaps there was a bit of naïvety on the delegates' front, thinking that they could go along and pick up something to solve their GDPR issues, which isn't the case."
Fantasy tech
The established vendors were out in force, highlighting why their solutions are tailor-made for GDPR solutions, but newcomers were also present with specifically designed GDPR products.
One product, according Ian Mann - CEO at security consultancy ECSC - claimed to be able to predict the amount a firm would be fined for a breach of GDPR.
"Some people were getting frustrated at the show," he said. "There was some nonsense being talked about, including a GDPR calculator. You move some sliders - I don't know exactly what it asks you - but you put in your details and your worldwide turnover and it tells you what your fine would be.
"It clearly has to be nonsense because we haven't got the law yet and who can predict the methodology that the Information Commissioner's Office (ICO) is going to use to calculate a fine?"
Mann said that while some vendors have honest intentions in saying that their products can help customers comply with GDPR, others can be heard claiming their products "give you GDPR compliance", despite this not being possible.
"The product side is when things start to get messy," he said. "Sometimes people will say ‘this gives you compliance' and sometimes they will give you cross-references of how the legislation matches to their products, but from a cybersecurity point of view you cannot point to any particular product and say ‘this gives you compliance'.
"The standard isn't a technical standard, it's a set of regulations that says you have to manage your security appropriately. It could really be anything."
Mann's advice to channel partners was to consistently refer back to the ICO's website for updates and not to get too hung up on what vendors and other cybersecurity professionals are saying.
"There are too many people listening to what others are saying and not looking back and actually looking at what's really being published. People should read the regulations and keep up to date with what the ICO is putting out.
"Everyone is talking about this four per cent fine [for example], but if you read it properly it's actually only two per cent for cybersecurity, so I'm one of the few people who is downplaying it.
Let's have a bit of honesty. If someone is consulting in this area, they should actually read the document."
Customer fight-back
But while it appears that vendors, whether intentionally or not, are over-egging their products' abilities when it comes to GDPR, some security officers are becoming less gullible when it comes to buying products.
This is the view of Rob Pooley of security reseller Saepio, who said that at this year's InfoSec he saw customers start to challenge the advice given to them by vendors, rather than taking their opinions as gospel.
"Because the industry is growing so fast there are a lot of new people who don't have a lot of depth and experience to talk in detail about these things and put it in the context of a wider security ecosystem," he said.
"Customers these days, rather than being less educated, are more educated. There was a time when customers didn't really have a clue about security and very much relied on the people in the security channel to give good, independent advice.
"Now the tides are turning. There are far fewer educated people with a broad-breadth and long-time knowledge who can truly add value to customers.
"It's getting to a point where they have more knowledge than the people they speak to on the stands. That was particularly noticeable this year and customers were commenting on that."
Channel opportunity
Carl Gottlieb, director at Palo Alto Networks and Cylance partner Cognition, explained that GDPR, in theory, requires no additional security measures than those that should already be in place.
Where CSOs have not been able to get this funding previously, now they can use GDPR as a catalyst to procure the products they need - which presents an opportunity for the channel to drive business, Gottlieb said.
"Vendors play to their strengths. They've framed it as a data security problem and they're right in some respects, but GDPR has 99 sections of which security is one. They can help you with some parts but the majority is about processes and there's no way technology can help.
"But you've got a weird dichotomy going on where you have people over-emphasising the fines, saying everyone is going to get fined billions of pounds, when the reality is that won't happen, but that fear is still there and that is useful because it creates a board-level agenda.
"That's creating the funding to go and do the things they always should have done. In an ideal world we shouldn't have to do that; we should just be able to say ‘here's the benefit to your business, go and get the funding', but [the channel has] tried that for years and it's never really worked because the board didn't get it.
"Unfortunately, that FUD acronym of fear, uncertainty and doubt does actually work."