We Need a New “Gray Team” for Cyber Security

In cyber security, we adopted the military model of red teams for penetration testing and blue teams for vulnerability analysis. I say it’s time for a new gray team – people charged with thinking through the misuse of systems. These are not attackers, but hostile users. This would be an uphill battle.

Everyone has heard the phase: “Move fast and break things.” However, there’s another mantra that is just as binding in software engineering: “You don’t need a solution until there’s a problem.” A gray team would take on this mindset. It would not wait until the problems occurred, it would prevent them.

Here’s example of a problem that should have been anticipated, but wasn’t: A woman using a P2P payment app kept receiving $1 payments accompanied by evil, threatening messages from a stalking douchebag ex, but there was no way to block someone sending a payment.1 It’s tempting to think: “Why would you ever want to block someone sending you money?” But the problem was the hostile use of the messaging aspect of the system. A gray team would know that almost all forms of human communication have been misused for abuse.

Another horrific example has happened to women who tragically have miscarriages, but their browsers and social media feeds remain flooded with ads for new baby things for weeks and weeks.2 Why isn’t there a way to report these ads for being in situationally poor taste? Organizations have been funding algorithm development to spot expecting parents, but a gray team would have identified that we needed a user-controlled “flush” command on this profiling. (If you’ve ever tried to report an ad for being misleading or in poor taste, you’ll soon find that those are not considered legitimate reasons to report ads.)

Some other examples of problems that could have been prevented:

  • Gay men have been hunted and beaten by homophobic thugs using the leaked location data from a popular gay dating app.3
  • A person set up a small business account with a credit reporting bureau. He then downloaded hundreds of thousands of credit reports. 4
  • Realtors are reporting that vacant properties are receiving multiple letters addressed to different people from State unemployment benefits departments.5
  • End-users have clicked on ads that contain links to malware sites.6

These are all examples of how a huge bling spot is created by the mindset: “You don’t need a solution until there is a problem.” When I first entered the work force, there was a humorous saying: “When you’re up to your ass in alligators it’s difficult to remember your original objective was to drain the swamp.” The main benefit of a gray team is that preventing problems will always be cheaper and easier than fixing them afterwards. Also, anticipating problems will prevent “technical debt” from piling up.

We need gray teams because it’s not realistic to expect individual software engineers to deal with this. It’s not about individuals, it’s about organizations. Organizations need to step up their game to protect end-users and conserve cash by avoiding costly rework.

Back in olden days (the 1980s), a wise mentor of mine observed: “Any system humans can create, humans can subvert.” Digital transformation will be a lot more productive and less abused if organizations methodically searched for and prevented ways to subvert the systems we create. Gray teams would be one way to do that.

References:

  1. P2P Payment Stalker: https://twitter.com/TweetAnnaMarie/status/766774995057987585
  2. Miscarriages then targeted with new baby ads: https://www.huffingtonpost.co.uk/entry/women-affected-by-miscarriage-and-infertility-are-being-targeted-with-baby-ads-on-facebook_uk_5d7f7c42e4b00d69059bd88a
  3. Grindr location data leaking: https://www.newsweek.com/grindr-location-leak-1453697
  4. Credit Bureau Misuse: https://www.businessinsider.co.za/the-personal-details-of-millions-of-south-africans-have-just-been-hacked-2020-8
  5. Unemployment fraud https://www.ksby.com/news/local-news/central-coast-residents-flooded-with-fraudulent-edd-letters
  6. Malware in ads: https://www.imperva.com/learn/application-security/malvertising/

Much respect and appreciation to Jonathan Rothwell and Steve Freeman for their excellent presentation “So You Can Sleep at Night” https://youtu.be/A5umy4lUOOY They approach this as an inquiry into software engineering ethics. My approach is to build upon this from an organization systems perspective.

Content May be King, but Data Is Power Behind the Throne

I have often heard that “content is king” when it comes to demand gen. Yes, content can drive people to your web. Yes, content can fill the lead funnel with the names of people1 who download content after filling out a form. But, content alone cannot and will not help you understand your install base and how to find others who want to buy your product/service. Only data can do that.

A lot of companies spend tremendous effort on creating content for blogs, white papers, and social media. I guess it makes sense. After all, lead scoring and customer profiling are hard. If it were easy, everyone would do it, no? While it’s true that sophisticated tracking programs2 can determine which content is performing well, much more important data is elsewhere. Every company in this millennium uses some form of CRM,3 but strangely most companies don’t seem to use their CRM data base to capture vital information, such as:

  • Why did we win?
  • Who did we compete against?
  • Which people within a customer performed various roles?
  • What other technology is part of the customers’ stacks?
  • How many customers do we have by industry?

One of the blind spots here is that the answers to these questions are known by some people. Certainly, eStaff level executives have a good feel for this. For everyone else in an organization, it’s usually buried in emails (unstructured) or known to different people scattered in the organization (fragmented). This important knowledge is just beyond the grasp of effective up-sell, cross-sell, customer references, and other campaigns.

The last question about customers by industry is highly significant. When a company starts to grow their customer base, one of the first questions new prospects typically ask is: How many customers do you have in my industry? In olden days (15 years ago), we called this our “quals” — our proof that we are qualified to work in your industry. I find it remarkable that 5 out of 5 start ups I worked at could not run a simple query in their CRM to determine precisely how many customers they had. This was so, in part, because it wasn’t always clear what was a customer. (I used the word “precise” because cross-referencing the account receivables data base with the CRM data base and tediously resolving the inconsistencies is less than precise.)

A great management consultant4used to say: “The truth is usually found in the middle.” To that end, my take is that you need both content and data. If you don’t have an organized and systematic way to obtain data, maybe some of the resources applied to content could be redeployed for data.

Notes:

1 It amazing to me that most companies have to learn the hard way that people are clever enough to put in bogus information and disposable emails to get content. Thus, putting content behind forms is not a foolproof way to capture leads. At one company, I was in charge of the lead routing table. The first 3 of 80+ “routing rules” disposed of bogus names such as Buggs Bunny and swear words (lol).

2 Those sophisticated tracking systems are not cheap. Many companies pay tens of thousands each month for search engine optimization, syndication of content, pay-per-click ads, and “pixel fire” unique browser surveillance. Even more companies layer on more surveillance when they do not get tangible results. Is there any end to this?

3 CRM stands for “customer relationship management” (such as MS Dynamics or Salesforce.com). Here’s another unpopular observation: It’s the customers who manage the relationships they have with companies and not vice-versa.

4 My blessed mother taught me that line about the truth being the in middle. It has been borne out countless times in my experience. She also said: “People like to shop, but they don’t like to be sold to.”

For further reading

A simple online search for “best practices customer profile” yielded hundreds of results. One of them provides a nice step-by-step process for using customer profiles for revenue: Five Steps to Creating an Effective Customer Profile for Lead Scoring Note: This resource is 7 years old. Further support for the notion that there is no excuse for modern start ups to trip and fall because of this.

Image courtesy of GIPHY