A couple of weeks ago I issued a survey on behalf of one of my clients, client Tufin Technologies. The survey sampled 79 DEFCON attendees on their opinions about everything from when they felt the best time of the year was to hack (winter) to what percentage of the community they thought were engaged in criminal activities.
The survey, I'm happy to report, was a hit, and got a lot of ink, in great part to the cheekiness of my UK counterpart, Yvonne Eskenzi of Eskenzi PR who to my great benefit, has taught me how to think in headlines.
There were a few that took issue with our survey, including an analyst colleague whose opinion I value. He felt the survey was not indicative of reality based on his knowledge of and experience with attack trends and was able to point me to an article that counter to our findings.
Credibility is currency, right? Hard to accrue (especially for PR folks, as I am constantly reminded), easy to lose. While we were crystal clear about our methods - we were simply reflecting the opinions of the folks we sampled -- his note still bothered me.
Until.... I recalled an experience of mine that put everything into perspective. Last year's pre- RSA conference analyst teleconference. The call had analysts from Forrester (a friend of mine), IDC, and Nemertes weighing in on (among other things) how the recession was impacting security spending. Three different firms, three different sets of constituents, three different assessments -- spending was flat, going down, going up.
So which one was it? My take-away - all of the above. To this day, I know plenty of folks who are getting hit by the recession, others who aren't. What you see depends on where you're standing, right?
Same goes with our little survey. We were just reporting on what the folks we sampled said. Just because they said they believed winter was the best time to hack into a network, doesn't mean that we shouldn't be paying attention the rest of the year. Who knows -- maybe quiet summers were their justification for a week of debauchery in Vegas? Or maybe -- just maybe - that was what they really thought.
Does the fact that the State of Michigan has dealt with disruptive cyber-attacks in August discount our findings? Should it?
I don't think so, and based on the interest in the results, neither did the majority of the press.
So...where am I going with this?
a) an abundance of information is no replacement for critical thinking
b) there can be two rights without one having be wrong
c) trendspotting is not a perfect science
So there you have it. Back to the daily grind....
i still dont think that 79 people = any sizable chunk of any category; security professionals, script kiddies, real bad guys or enough people to make a trend.
hey i just surveyed 100 people and they all said purple is the new black...therefore it must be true!
Posted by: CG | September 10, 2009 at 08:58 PM
Okay...so disregard it.
My whole point is that it's up to the consumer to determine what's what.
Posted by: Elizabeth Safran | September 10, 2009 at 09:14 PM