Q

Are independent researchers out for fame?

According to a recent X-Force report, it seems some independent researchers may be more interested in fame than exposing security risks. But how accurate is this assessment? Security management expert Mike Rothman gives his take on the issue.

As a security manager for a large organization, I try to keep an eye on vulnerability disclosures from all sources -- news, blogs, research groups, vendors, etc. However, X-Force recently released a report that seemed to cast a shadow on independent researchers. If those guys are out for fame, as the report suggests, should we pay less attention to them?
Security professionals are paid to protect the private data and intellectual property of their organizations. That means it's necessary to evaluate every credible threat and decide if/when to take action.

Infosec pros don't have the luxury of playing favorites in terms of where credible threat information comes from, so I think it would be a bad idea to take any legitimate threat information less seriously.

That being said, clearly there are a number of security researchers out there that are more interested in their own celebrity status than helping out the industry, but those individuals are few and far between. Most of the researchers I know actually lose money by doing their research -- given the opportunity cost of poking at applications and network infrastructure -- as opposed to billing large customers a lot of money to tell them where they are exposed.

The X-Force survey was arbitrary at best. It used a criticality metric that is subjective and probably not relevant to most organizations. Of course, they have to keep their own research teams motivated, so it's clear why they would beat the drum for that kind of survey.

A lot of these rumblings about independent security researchers are irrelevant. The sooner a potential security issue is exposed, the better. If that information comes from a big company, that's great. If it comes from an independent researcher, that's good, too.

Keep in mind the bad guys don't play favorites. Neither should anyone else.

More information:

This was first published in August 2008

Dig deeper on Enterprise Risk Management: Metrics and Assessments

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close