Welcome to Part 5 of the Accountability in Cybersecurity is Broken series, why cybersecurity accountability is a dumpster fire. Missed the earlier rants? Catch up: Part 1, Part 2, Part 3, Part 4. Now, we’re ripping the mask off one of the industry’s dirtiest scams: selling fear, uncertainty, and doubt (FUD). Vendors, “experts,” and even so-called professionals have turned FUD into their go-to excuse for greed and incompetence. It’s easier to scare than to educate, easier to sell noise than to do the hard, boring work of actual security.

And it’s killing accountability.

Vendors: Profiting Off Panic

• Ransomware Appliances – After WannaCry and NotPetya, vendors screamed “Buy this or you’re next!” Reality: these boxes did nothing that backups and patching couldn’t do.
• Next-Gen AV Hype – Marketed as the only way to stop “nation-state hackers,” most NGAV tools were glorified blacklists with dashboards.
• Cyber Insurance Rackets – Brokers push “must-have” software from their buddies: “No tool, no coverage.” That’s not risk management—it’s extortion.
• Zero Trust™ in a Box – Zero Trust is an architecture, not a SKU. But fear sells, and boards write million-dollar checks for buzzwords.
• Tiversa’s Extortion Scam – The extreme: Tiversa allegedly faked breach data to scare companies into contracts. FBI investigations, congressional hearings, and collapse followed. FUD at its ugliest.

And here’s the kicker: why don’t we hold these vendors accountable for false advertising, snake-oil promises, and outright broken products? If a car company sells you a vehicle that bursts into flames, there are recalls, lawsuits, and consequences. But in cybersecurity, vendors can hype up miracle cures that don’t work, take your money, and walk away richer. That’s not innovation—that’s fraud with better marketing.

“Experts” Hiding Behind FUD

It’s not just vendors. A chunk of our industry’s “experts” lean on fear to cover their own incompetence.

• Breach Fire Drill Cop-outs – “These were nation-state hackers. Nobody could have stopped them.” Translation: “We didn’t patch, didn’t monitor, and weren’t ready—but hey, blame Russia.”
• Compliance Theater – “No SOC 2 Type II? You’re guaranteed to be hacked.” That’s an auditor protecting their invoice, not your data.
• Boardroom BS – Weak CISOs hide behind trillion-dollar vendor stats. Those numbers? Pulled from thin air. Scary wallpaper for not knowing your own environment.
• Blaming Users – “People are the weakest link.” A lazy excuse for bad controls, bad training, and bad leadership.

And again, why don’t we hold these so-called “experts” accountable? If a doctor gave you terrible medical advice that made you sicker, they’d lose their license. If a lawyer gave you reckless advice that cost you millions, you’d sue them for malpractice. But in cybersecurity, consultants can give half-baked, fear-driven advice that leaves organizations weaker, not stronger—and they still get paid. No consequences. No accountability.

Evasion in Plain Sight: A Senate Hearing Example

If you think I’m being too harsh, look at what happened in a Senate hearing after the SolarWinds attack.

Senator Ron Wyden (D-OR) asked the most obvious, basic question: would a properly configured firewall have mitigated the breach? That’s network security 101. The honest answer was “yes.” But that’s not what the American people heard.

• Kevin Mandia (FireEye CEO) dodged with “it depends” and compared firewalls to gate guards who can be fooled.
• Brad Smith (Microsoft President) followed suit with his own “it depends.”
• George Kurtz (CrowdStrike CEO) admitted firewalls help, but quickly added they’re insufficient.
• Only Sudhakar Ramakrishna (SolarWinds CEO) said “yes” — but even then, he wrapped it in the language of NIST standards instead of a plain answer.

Not one of them said the obvious: yes, properly configured firewalls could have mitigated the attack. Instead of teaching that lesson, they hedged. Why? Because simple answers don’t sell. Complexity sells. Fear sells. Products sell.

This is the problem. We’ve built an industry where even in front of Congress, leaders refuse to admit that basic hygiene matters more than another shiny tool. We don’t need more buzzwords—we need honesty. We need accountability.

TRUTH: The IRS mitigated the attack by blocking egress traffic on their firewall (a “properly configured” firewall) because it blocked the attacker’s command and control communications. Ironically, FireEye did not mitigate the attack prior to noticing that they’d lost a substantial amount of data through the attacker’s successful data exfiltration (NOT a “properly configured” firewall).

Professionals Who Don’t Know What They’re Doing

And here’s the part nobody wants to say out loud: we’ve got too many “professionals” in this field who flat-out don’t know what they’re doing. They’re not malicious like Tiversa, and they’re not spinning shiny lies like vendors—but they’re still part of the problem.

They add tools they don’t understand into environments they don’t understand. That doesn’t make security better—it makes it worse.

Stop Buying Sh*t You Don’t Understand

It doesn’t make any sense to keep piling more tools into an environment you can’t even see. No asset inventory? Then how the hell do you know what you’re protecting in the first place? Adding more “solutions” into that mess doesn’t fix it—it compounds it.

Here’s the truth: I’d rather NOT spend a single dollar on information security than misspend one. If you don’t know where your next infosec dollar should go, you’ve got work to do before you buy anything new. And the LAST person you should ask for advice is somebody trying to sell you more sh*t.

And why don’t we hold practitioners accountable here either? If a pilot flew without knowing the basics, there’d be consequences. If a surgeon botched operations because they didn’t know their tools, they’d lose their license. But in cybersecurity, “professionals” can bungle their way through jobs, deploy tools they don’t understand, and when it blows up? The customer suffers, they shrug, and move on to the next gig.

Mission Before Money

Look, it’s fine to make money in this industry. I run businesses, too. But it’s not fine to do it at the peril of the very people you’re supposed to protect.

I have a saying: Mission before money. If you focus on the mission, you’ll make money. If you focus on the money, you won’t make the mission.

That Senate hearing made it clear: too many leaders are focused on protecting revenue, not protecting people. And that’s big part of the reason why accountability in cybersecurity is broken.

The Real Cost of FUD

Why does this matter? Because it’s easier to scare than to educate. Easier to throw up scary stats than to do the real work of knowing your environment. Easier to point fingers than to take responsibility.

And customers are the ones paying the price—with wasted money, wasted time, and no real improvement in security. By mid-2025, the market is waking up. Leaders are tired of fear-based marketing. They want partners, not predators.

Even regulators are calling BS. UK cyber official Ian Levy delivered his “Magic Amulet” speech, torching vendors for selling gimmicky talismans instead of real solutions. He nailed it: too much of this industry looks like a medieval bazaar.

At FRSecure, we’ve had one rule since 2008: “Sell a client something they don’t need, and I’ll run you over with my truck.” (Haven’t done it yet. Truck’s still ready.) Point is, accountability matters. Push crap or bad advice? You shouldn’t be cashing bonuses—you should be shown the door.

The ugly truth is this: in any other industry, this level of lying, bad advice, and incompetence would land people in court, out of business, or out of a job. In cybersecurity? It lands them new clients, keynote slots, and bigger bonuses. That’s insane. Until we start demanding accountability from vendors, consultants, and practitioners the same way we do in every other profession, this cycle keeps spinning.

How to Fix This Sh*t

• Know Yourself – Before you buy anything, know your environment and your own capabilities, with truth and honesty.
• Demand Proof – If a vendor can’t prove their product works in your environment, don’t buy it.
• Keep It Simple – Complexity kills. Pick practical, effective solutions over flashy garbage.
• Call Out BS – If an “expert” leans on vague stats or scare tactics, demand specifics. What’s the actual risk?
• Educate, Don’t Scare – Vendors: stop terrorizing your customers. Teach them how to manage risk instead of pushing magic bullets.

Accountability in cybersecurity is broken because we’ve let fear and chaos run the show. Vendors sell it, “experts” excuse it, practitioners bungle it—and nobody pays the price. It’s time to grow a spine, call out the grifters, and demand better—from vendors, from “experts,” and from ourselves.

Stay tuned for Part 6. We’re not done tearing this circus down.

Also, feel free to tune in to InfoSec to Insanity, where Matt Goodacre and I will break this down even more.