Success in cybersecurity is when nothing happens, plus other standout themes from two of the event’s keynotes
07 Aug 2025
•
,
3 min. read
The 2025 edition of the Black Hat USA conference kicked off with an address from founder Jeff Moss that featured several thought-provoking comments.
Among other things, he remarked that technology has become political and pointed to geopolitical sanctions and bans that limit cooperation and hit revenues, ultimately slowing down innovation. In some instances, there may be grounds to limit the use of some technologies, but referring to technology as political certainly grabbed my attention.
Another comment was more philosophical: do companies adapt to the culture of technology or do they adapt technology to their culture? This question is highly relevant today, as we can all relate to moments when we see a company change path to maximize profits at the expense of the customer.
In my experience, customer service is almost always a prime target for cost saving – from outsourcing a call center to low-cost labor markets through to today’s use of generative AI systems as the initial point of contact, which effectively creates a self-help barrier to reaching a human representative.
It’s important that companies think seriously about the culture question posed. Do they want technology to dictate or shape how customers view the company culture, or do they want to maintain the perceived culture? The latter may require less technology and more human interaction, or just a more thoughtful way of deploying technology.
As AI becomes more widespread, the culture question becomes even more important. In the hours leading up to the conference, I experienced this firsthand: I asked the AI chatbot at my hotel resort at what time the gym opened, and it answered promptly: 6 a.m. – 6 p.m. Then I asked where the gym was located, and the chatbot answered that it does not have the answer to this and instructed me to contact the front desk. An interaction with a human provided a different response: the gym is open 24/7 and it’s on the 3rd floor. To sum up, the service from the AI automated system was inaccurate and unhelpful, and for me it reflected on the hotel brand.
Who’s to blame?
Meanwhile, the keynote by cybersecurity veteran Mikko Hypponen was largely a history of his career in malware research. As with Jeff’s address, there were two interesting comments that caught my attention.
First, Mikko challenged the perspective that whenever a user clicks on a phishing link, the blame is typically placed squarely on the user, with the conversation then turning to the need for more cybersecurity awareness training.
Mikko put a different spin on this, however, and pointed out that the failure is actually with cybersecurity systems, because the link should never have reached the user in the first place. This is an interesting comment, as when we read an article about a security incident, we hear of it starting with a user clicking on a link. It never mentions it was a link that the cybersecurity team failed to stop from getting to the user.
Then another great point – success in cybersecurity is when nothing happens. This is a true but bizarre paradox that I know many consumer cybersecurity vendors grapple with, as they need the customer to know that their product is working and adding value.
For me, though, the comment sparked yet another thought: do companies reduce their cybersecurity investment if all the threats are detected and nothing happens, ultimately increasing the risk of a cyber-incident? And with declining investment, do we re-enter the cycle of successful cyberattacks, causing disruption and higher cyber risk premiums, which then drives further investment in cybersecurity and we become trapped in a never-ending cycle?
Mikko, a three-decade veteran of the cybersecurity industry, concluded his keynote with an announcement that he is departing the industry and joining a defense contractor. I wish him the best of luck with the new endeavor.
