Counterpoint: Ambulance Chasing Works
I recently made the case that the vendor community's response to Wannacry and Petya/notPetya were counterproductive and classless. I’d like to present a counter-argument: vendors do it because they can, and it’s profitable. Enterprises in turn engage with those vendors (or the business) because it allows them to bring on more people, buy more products, and increase their stature.
Here are my quick thoughts on why ambulance chasing works in InfoSec.
It works for the buyer
Previously, I asserted that organizations won’t and can’t make buying decisions during an incident. To channel my inner Ronald Reagan, while my heart tells me this isn’t true, the facts tell a different story. This is a case where I simply needed to step back and separate what I wanted to believe and what was actually the case.
For a variety of reasons, our partners in the rest of the business and within management, don’t take action on InfoSec’s recommendations. I’m not saying we in InfoSec aren’t culpable (you can read my thoughts and Daniel Miessler’s about that here). What I am saying is that when the chips are down we use a crisis to purchase new tech, hire new personnel, and raise our stature. I’m actually not prepared to blame anybody. We do what we need to do. But then we can’t deny that ambulance chasing works and we can’t deny it suits our needs at times.
It works for the seller
If client X isn’t taking your calls and then all of a sudden, they are, and now they’re cutting purchase orders, what are our friends in sales supposed to do? Does sending out email blasts saying, “We would have stopped this attack” seem silly, false, and tacky? Of course it does. Is it misleading at times? Yes. But again, we’re not debating the merits and ethics. I’m stating that buying decisions are made because of those incidents and the emails and calls that follow. An incident opens the door to sales. It would be sales malpractice to not walk through that open door.
It’s all well and good to kvetch and moan about the state of things but in the end, we’re all responsible for our actions, who we work for, and how we conduct ourselves as an industry. As buyers and sellers of technology, we all know we use incidents to advance our cause. I’ve been living it for years. I just didn’t see it because I didn't want to believe it.
Creating an InfoSec program during and because of a crisis isn’t a good idea. I don’t endorse it. But, any port in a storm I suppose.
I’m calling myself out here but in truth, I honestly believe I’m “one of the good ones.” But because of that, I’ve left a fair amount of money and access on the table. Sure, maybe it will come back to me in the end, but who knows when that will be.
"My Inner Ronald Reagan" would be a pretty rad name for a band. Just throwing it out there.