Security vendors Wanna grow up

Not that the UK really needs another story about WannaCry, but it is interesting to note the lack of vendor commentary around the event. A quick check on Factiva proves that theory.

Usually stories around hacks and vulnerabilities are owned by a variety of cyber security firms. It’s a fairly regular cycle of content between vendors, PR firms, IT journalists and various other parts of the security ecosystem; largely played out in IT trade publications.

With WannaCry, it was a different story. In the UK, most of the security ecosystem has some sort of relationship with the much cherished NHS. As a result, most security vendors were too busy checking any potential culpability to indulge in their usual ambulance-chasing coverage tactics. No one wants to be forced into an awkward climb down, let alone attract national scorn.


The sheer size and scale of WannaCry meant that it was a story that instantly went to a set of journalists – health, political, home affairs – that rarely cover tech. It is a set of journalists that the security vendor market doesn’t regularly brief. While it was similar with the Ashley Madison fiasco, where the vendor crowd missed out a little, WannaCry has been far more pronounced.

The only vendor that really took part in the discussion was Microsoft. It had little option given that XP sat at the heart of the story. It is also well seasoned in explaining why organisations only have themselves to blame for still using an operating system launched in 2001 (effectively ‘pre-internet’ by modern standards) and that has been unsupported for more than three years.

In terms of third party commentators in UK media, it was the NSA, European Police Office and Russian Ministry of the Interior that dominated the coverage (none of them UK-based). Serious organisations, without a ‘sales leads’ motivation, that became the security industry spokespeople.

WannaCry may turn out to be a defining moment for security vendors’ approach to external communications; a time to move beyond reliance on reactive methods and comment in favour of more serious discussion and higher level relationships. Hopefully we will see vendors engage in a more cerebral participation around the issues presented by a world so connected that digital is becoming a principal weapon for organised crime, terrorism and international conflict.