I was there when the bubble burst in ’99. If you are too young to know the reference to the bubble of 1999, or if you are so old that you have forgotten it, 1999 was the year that the "internet bubble" burst. What was it that caused this bursting effect? The internet wasn’t the problem. The internet is still here. The problem was driven by the defective business model of many internet-based companies. There were just too many companies doing the same thing, competing in the same space. Investors could not see a viable, sustainable business, and only those with a real plan for the future survived. The current vulnerability warning system seems to be on the same brink of failure. Too many vulnerabilities have been branded with names and logos. The folks on one of my favorite security webcasts often joke that the only thing missing from the latest-named vulnerability is a theme song and dance. How many of us remember what the vulnerability CVE-2014-3566, otherwise known as "POODLE," involved? Worse yet, do you think your CIO or CEO would treat you seriously if you walked into their office to tell them that you fixed the POODLE vulnerability? I am confident that a fire hydrant would be the only reference point for them if you mention a canine-named vulnerability. There are three stages of how this naming game can be more damaging than helpful:
- Fatigue
- Apathy
- Dismissal
Since some security professional are already joking about the new method of naming vulnerabilities, it is clear that fatigue has already set in. Names and logos seem to stimulate apathy rather than a call to action.
You: “Hey boss, we have three servers with the Heartbleed vulnerability.” Your Boss: “Should we call a doctor?”
Once the lack of any emotional response becomes the norm, dismissal can easily follow. Could these names put our profession back a few years by trivializing some of the existing and newly discovered problems? Executives rely on their security teams to explain a problem in language that they can understand and in terms that are relevant to their business. While there is plenty of business jargon that we can criticize, none of it rises to the level of the arcane acronyms that have been the problem of the computer profession for years. Just when we finally figured out how to stop talking in acronyms, it seems that we are replacing that language failure with an equally weak approach. Remember the bursting of the internet bubble. Just as the internet and viable web-based businesses survived, vulnerabilities will always be here. It is our job as security professionals to explain the risks they pose in language that the non-technical among us can understand and act upon. What do you think? Is the vulnerability warning bubble about to burst? Do cute names and logos hurt, or do they help? Leave your comments below. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
