In a 2016 New York Times Magazine profile of Ben Rhodes, President Obama’s then deputy national security adviser for strategic communications, Ben was quoted as calling the American foreign-policy establishment “the Blob.” He considered The Blob to be Iraq war promoters from both parties who talk about the collapse of the American security order in Europe and the Middle East.
Beyond foreign policy, The Blob represents a group of people that are so deeply caught up in their own echo chamber they have become one unit — one blob — that self-reinforces a set of ideas … a critical mass of people that are “high on their own supply.” They are also often out of touch with those actually doing the work, so caught up in their own thought experiments that they fail to see the reality on the ground.
In the security industry, we have our own Blob: a group of people that have simmered in the industry for much if not all of their careers to the point where the lines between vendor marketing messages and reality have completely faltered.
I have seen this firsthand, and part of what makes this so stark is the dichotomy in which I exist where I spend time with the vendors selling products and the customers trying to solve problems. I often jump from a vendor briefing full of false, single-solution promises to a practitioner meeting where we get to the root of security issues. These are complex problems with even more complex answers.
Not every person working at a vendor is part of The Blob — there are some incredible practitioners in vendor organizations and enterprises alike. However, the unholy trinity of sales, marketing, and investors, driven by a rampant ambulance-chasing mindset and years of overinflated valuations, has created an environment where The Blob flourishes and practitioners are held back.
Here are some examples of The Blob at work:
- “SIEM is dead!”
- “AI solves the detection problem.”
- “You don’t need detection if you have good prevention.”
- “EDR coverage is enough — you don’t need to detect network activity.”
- “Hack back!”
- “The autonomous SOC/automation will take care of that talent shortage for you.”
And, in contrast, the practitioner community:
- “How can we architect our data ingest to minimize costs while still bringing in the right logs for detection?”
- “What are best practices for automation in the SOC, what are common use cases, and how many FTEs do we need to dedicate to it?”
- “What options does the offering have for hosting in different regions?”
- “What’s the depth of the RBAC model?”
- “How is the offering licensed, and does it help us predict costs?”
- “What are the best tools and process to manage and document incident response processes?”
The difference is stark. And it’s hurting the industry as a whole. It prevents us from having the deep, real conversations about the actual issues practitioners are facing today … unless you make a concerted effort to avoid The Blob.
However, there’s good news: It doesn’t have to be this way! You too can help stop the spread of The Blob (and you don’t need Steve McQueen to do it). If you find yourself affected by The Blob, listen to a practitioner. Attend talks that get into the nitty gritty — not theoretical, but actual technical problems. Challenge the status quo and think critically and deeper than the one-off comments you hear.
If you are a practitioner dealing with The Blob, call it out. Highlight the reality of the situation and find those that push back on The Blob. Have the deeper conversations.
For more examples of the misleading messages of the Blob (and the pushback against them), read The “Autonomous SOC” Is A Pipe Dream, The Top Seven Most Misused Terms In Cybersecurity, and The Top Five Lies Security Vendors Tell About The SIEM.
Schedule a guidance session or inquiry with me to discuss The Blob and ways to cut through the noise. Better yet, join me at the Forrester Security & Risk event in November. Jeff Pollard and I will deliver a keynote, “Adapt And Adopt: Balance The Acute Risk With The Burgeoning Reward Of AI.” I’m also speaking on “Transform Your SOC Into A Detection And Response Engineering Practice.”