Why is it that so much security and/or risk management advice is just like 'sugar water'?

In its simplest form, 'sugar water' is a small amount of sugar added to water for taste, energy and a sense of refreshment. 

A child can set up a 'lemonade stand' by adding sugar and lemon for a significant profit as the base ingredients are both cheap and readily available in many parts of the world. 

There is very little expertise required, and there are few barriers to entry. 

The product is not overly engineered; as a result, meaning just about anyone can enter the market.

Conversely, multinational brands can make sugar water. 

It can be called soda, soft drinks, fizzy drinks, energy drink...even water. 

Consumers develop strong brand association and preferences. 

Multimillion-dollar marketing campaigns are developed, and significant science goes into getting more people to buy and consume sugar water. 

Sure, there is science goes into the 'sugar' element of the equation too. 

Manipulation of compounds and science can result in humans consuming unnatural levels of sugar, causing all sorts of adverse health outcomes. 

Sugar can even be replaced altogether, and the consumer never knows the difference. 

These sugar replacements can have accelerated, long-term adverse outcomes for individuals and communities. 

It is big money. 

Sizeable community water supplies can be consumed to produce sugar water. 

Lots of jobs and sizeable parts of the economy then become dependent upon the product. 

Offshoring means making sugar water in cheaper economies to sell to middle income or privileged economies. 

In some instances the brand uses so much water, it now becomes a purveyor of water too. 

Pure water, mountain water, mineral water, exotic water or just plain old 'tap water' supplied to homes and business in a pretty bottle and hefty markup. 

The process is largely automated. 

Large volumes can be produced at very little cost. 

No person or accountability is assigned to the final product, just a brand. 

Employees are 'brand proud' and may even espouse 'corporate social responsibility' or other catchy phrases. 

Everyone needs work and money, so lots of people want to work at these brands so consumers that want to be employees cheer and support the brand. 

Governments and medical bodies then realise the requirement for 'regulation' of such products and services. 

Even marketing and subliminal messaging are examined and regulated. 

Products now require clear labelling, and all ingredients and contents must be disclosed. 

Food and drug authorities monitor or regulate the minimal permissible levels.

Some celebrities then champion a 'sugar tax'. 

Positive and negative sentiment is then 'monitored' under the name of marketing, brand surveillance or some other obscure data analytics title. 

Speak out...and you have an entire industry, economy and infrastructure applying pressure and drowning out the message or the individual. 

Security and/or risk management advice could replace 'sugar' in nearly every example. 

In other words, security and/or risk management advice is little more than a little sugar added to a routinely available resource at a significant markup, represented by large multinational brands and marketing budgets. 

At least sugar water is regulated to a degree and the contents are required to be displayed on the packaging. 

Security and/or risk management advice is opaque, mystical and rarely revealed. 

"Sources", networks, pedigree, Agencies, governments, 'training', service and countless other manipulative terms are used, but the 'ingredients' are not. 

Where exactly does your 'advice' come from? 

What data is it based on? 

What research supports your theory?

What peer review has been undertaken? 

What specific citations or information is your assessment based upon? 

A total lack of disclosure in most instances. 

The 'product', that being security and/or risk management advice, has very few barriers to entry. 

Any child can set up a 'lemonade stand' and sell their sugar water. 

So too can just about any security and/or risk management 'consultant'. 

How much of the end product is water, and how much is sugar? 

How much of the security and/or risk management advice is water and how much is original content made by the individual or brand? 

How much is just copy and pasted from other sources? 

How much of the one report is sold multiple times to multiple clients? 

No context, all 'sugar'.

Automated, made in large volumes, no details of the content just branding, then sold off around the world to local buyers or consumers from other markets that only recognise that brand because they never try/trust the local product.

Big brands, flashy marketing leading to 'brand loyalty' and unnatural consumption of an unknown product/substance that has proven medium to long term negative 'health consequences' to the individual and business. 

Have you checked the label on your security and/or risk management advice? 

What is the source? 

What is the science behind it? 

What are the ingredients?

Where does it come from? 

What harm, damage or negative outcomes may result? 

You may find your long term addiction to 'sugar water', produced in bulk by nameless and credential-less individuals and sold by brands and broadcasting marketing campaigns is a better summary of your security and/or risk management advice. 

You may also find a growing number of the larger security and/or risk management brands have mass media and marketing professionals manipulating or tracking your preferences and activity too. 

Again, they are easy enough to identify. 

All brand, no people names. 

No citations, no non-brand data, no references, no qualifications and advice is neither verifiable or reliable. 

Drink up!

Tony Ridley

Enterprise Security Risk Management & Security Science