So I was listening to Paul’s Security Weekly
(@securityweekly) podcast last Thursday night when one of their guests, one Michael
Santarcangelo (@catalyst), used the phrase, “Risk Catnip”. I almost fell on the
floor laughing, as he weaved that phrase into his thought without any hesitation.
It surprised everyone on the show and we all got a great laugh out of it.
The next day, since I loved that phrase so
much, I decided to re-Tweet his phrase along with some other phrases ending
with “catnip”. One of those phrases was “Threat Catnip”. A follower of mine by
the name of @PeterGanzevles (Hacktic) replied with about the best response I believe
I ever heard, he coined the term “Threatnip”, which got me thinking… (I know, I
know, keep your jokes to yourself).
“Threatnip”, as it turns out, is actually a
real thing and it’s used all the time as a lure to get executives to buy into
Threat Intelligence products like reports, dashboards, blinky boxes and
consultations. And much like catnip, once the prey has pounced on the lure and
plays around a bit, the thrill is gone along with a considerable amount of
money that could have been put to better use. Now I’m not saying that there is
no use for Threat Intelligence, in fact, quite the opposite is true, but there
has to be more than just the “Threat” part, because, as “Intelligence” implies,
it must serve as a function of a continuous cycle of security posture improvement.
The morale of this short story is this: don’t
be a “Threatnip” peddler, be a total solutions provider!
Here are some people that are much wiser than I
on this subject:
Edward McCabe (@edwardmccabe):
John Berger
Rafal Los (@Wh1t3Rabbit)
No comments:
Post a Comment