Posted 26th of May, 2023

Do we need regulation to solve the ethics and integrity problem in security marketing ?

Do we need regulation to solve the ethics and integrity problem in security marketing ?
If the industry doesn't clean up it's own act, I think regulation will be inevitable. We need to be able to recognise good and not trawl through bullshit.

Marketing and selling in a commercial industry is absolutely necessary. That means individuals who want to market themselves to move their career forward, consultants who want to attract more clients and companies who want to sell more tools or services. I have no problem with it. I would be a total hypocrite to deny that is why I am writing this article. Our blog is part of our content marketing. This is also one of the reasons I wanted to find a commercial model for OWASP and tackle it head on. We can’t pretend it's not a thing or the side-effects like self-serving projects, and self-serving opinions aren’t real. They are, it’s human nature and that won’t change, but as long as it’s transparent then consumers can make their own informed decisions.

There is a growing awareness, and maybe even a movement starting to improve ethics and integrity in our industry. Initiatives such as Ethics in Security and The Silly Security Awards, that I was part of creating along with Thinkst Canary and Resourcely, are both raising awareness of the issues and trying to get the industry at large to pledge to stamp it out. 

In the age of misinformation and online propaganda, Putin is using similar tactics to tell the Russian public that the West are Nazis and coming for Russia. The Chinese used it to oppress the Uighurs. Trump uses it as a tactic all the time. Fake news, alternative facts. Of course what is happening in security is nothing like what is happening on the world geo-political stage but we are living in an era where the Internet allows us all to get in front of everyone and anyone you want to, despite your geographical location. If you have money, you can target specific people, or specific companies with adverts. On Twitter you can target individuals, on Google you can target specific companies and with some ninja SEO skills target specific ads to advertise against.

Some people profiting from misinformation, will argue this is not a problem and change is not needed. They will try to provide more distorted information, citing edge cases, try to discredit those calling for change, and claim they are the actual victims rather than perpetrators. For example, yesterday I had a PR company nominated for a Silly Security Award send me an email telling me “your ego needs deflating”. I think that's an attempt at bullying but as Upton Sinclair said (a quote I have used in public talks for over a decade), 

"It is difficult to get a man to understand something when his salary depends upon his not understanding it."

I would adjust this to “... to understand or say something when his salary depends upon his not understanding or accepting it.”

Unless we have a way for consumers to be able to trust messaging purporting to be facts, the burden is on the consumers to do their own research. The reality is consumers simply won’t trust anything and that is bad for everyone. Trust is key in security which makes it more incredulous that this is allowed to go on. 

Today we have marketing, PR and even specialist awards companies, manufacturing awards and selling them to companies. This is akin to people creating fake University or education certificates. I have even been told of one case where a PR company awarded one to themselves. The result is consumers can’t trust awards, which in turn means that genuine industry recognition, that is so valuable, is tainted. 

We have security tools vendors creating testing benchmarks and magically being best in class. The result is consumers can’t trust benchmarking studies, and have to perform their own at great expense.

We have data brokers selling customer lists of competitors. While the brokers aren't part of the security industry, security companies that buy them are. Both sides of that equation should be called out and prosecuted. A security company buying what is often stolen data blows my mind. 

This is of course only the unscrupulous portion of the industry, and we certainly can't paint everyone with the same brush, but the net effect of the unscrupulous ones is that it affects us all. Putting the fact that consumers suffer aside, there are so many people, companies and initiatives that deserve to be recognised for their amazing work and that gets drowned out and devalued. We simply can’t let this happen. 

Security companies that ignore this problem, participate in it and don’t actively engage in improving it, are, in my opinion, as guilty as those facilitating it. They are enabling it to continue. I hope consumers start to look at vendors themselves as well as their tools, or whatever they are selling, and only buy from companies that are committed to having ethics and integrity. Everyone is human, no one will be perfect, and a clean sheet is unrealistic, but the industry deserves better than what we have today. Accept the past and commit to change. Support and enable change. Challenge the norm. Everyone needs to step up.

If the industry doesn’t clean itself up, I think regulation will be the only option, a precedent we have seen in many other cases. In the 50’s we used to have adverts like the one below. It took governments to step in and share the truth.


Regulation won't solve the problem as history has shown. The worst culprits will move to a place where that regulation does not exist or is weaker. There are so many examples of that. Nestle telling African women that their baby formula is better than breast milk, and vape companies like Juul, marketing to children, but it would mean is that they can fuck off out of the security industry. 

I hope with the help of practitioners, companies and people that care, our collective voices and actions will result in change. If that doesn't happen, I hope governments and regulatory authorities step up and do it for us.

The security industry deserves better.