Information security lessons from Theranos

With the exception of a passing comment about digital forensics on a desktop computer and email controls, Bad Blood: Secrets and Lies in a Silicon Valley Startup by Pulitzer Prize-winning investigative journalist John Carreyrou, seemingly has nothing to do with information security. It’s an extraordinarily fascinating and riveting book. And once digested, there are a number of lessons that anyone involved in information security can learn from.

A quick recap: Theranos was a health technology company that claimed it created a revolutionary method to perform a large battery of blood tests from a few drops of blood taken from the finger. Theranos was started in 2003 by then Elizabeth Holmes, a then-19-year-old dropout from Stanford University.

With her charm and persuasiveness, Holmes was able to raise more than $700 million from venture capitalists and private investors. At its peak, Theranos has a valuation of over $10 billion, with Holmes’s net worth almost $5 billion. All of that came crashing down when Carreyrou wrote an exposé in the Wall Street Journal in October 2015 that exposed the fraud.

By March 2018, Theranos was nearly bankrupt, when Holmes and former company president Sunny Balwani were charged with massive fraud by the SEC, in addition to wire fraud and conspiracy charges. This turned out to be the largest corporate fraud case since Enron.

With that, here are a few of the information security lessons to be learned from the Theranos debacle:

Most things are evolutionary, not revolutionary

Holmes ideas were revolutionary. Making blood testing easier, quicker and cheaper would be a medical breakthrough and revolutionize the industry. This ground-breaking idea from a 19-year old college dropout was a breakthrough that stymied some of the largest and most prestigious pharmaceutical firms. Those firms had thousands of PhD scientists, Nobel prize winners and countless labs. Yet her revolutionary idea was a complete scam.

Information security has had a few revolutions. Public-key cryptography comes to mind. Yet the vast majority of advances are evolutionary. Beware of wild vendor claims that attempt to bypass the normal development process.

Beware of the snake-oil salesperson

Theranos founder and CEO Elizabeth Holmes was often compared in the media to being a female Steve Jobs. As an entrepreneur, she was brilliant, had a passion for healing the sick and the ability to send a strong message.

Yet she was nothing more than a snake-oil saleswoman. She preached a strong and passionate message, but when directed questions were asked to her, she punted. She was selling a dream for an idea and technology that didn’t exist. The ability to do what she proposed was so utterly difficult, that the book quotes an expert who doubted it could be done 500 years from now.

Information security has more than a few snake-oil salesman. The key is not be enamored by them. The best way to defeat them is to ask for evidence. And when they refuse to answer or deflect the question, ask again, and again. If they say they’ll get back to you, ask for a timeline and be aggressive in getting the answer from them. Be relentless for the truth. Snake-oil salesman can deliver a lot, the truth though is not one of them.

Board of directors of clueless old men

The Theranos board of directors read like a listing of the most powerful men in the world. Looking at the names of the board member, one would think it was for a Fortune 50 firm, not a stealth-mode startup. Board members included the most powerful litigator in the U.S. David Boies, former Secretaries of State Henry Kissinger and George Shultz, former Secretary of Defense William Perry, General James “Mad Dog” Mattis, retired Senator Sam Nunn and more.

Many of the investors who poured hundreds of millions of dollars into Theranos did so as the board of directors were seen as men with sterling, larger-than-life images who gave Theranos a stamp of legitimacy.

The problem was that nearly the entire board consisted older men with extensive government, diplomatic and military experience, but none with any real-world life sciences or medical experience.

Some information security firms will have people on their board of directors or as senior advisors with no information security experience. To that point, it is important to bring those to the boardroom who may have experience in different sectors, which could lend some expertise to the information security sector. But by loading a board with those who have no clue to the product at hand, they are selling an image, not a security solution.

Conferences banned booth-babes for a reason

The RSA Conference started to crack down on booth babes a number of years ago. At her core, CEO Elizabeth Holmes was nothing more than a booth babe. Her charm, beauty, combined with her intelligence and powers of persuasion enamored her to the board. It’s not ironic that while Holmes championed the empowerment of women, it was women who were completely excluded from her board.

Former Secretary of State George Shultz was one of Holmes biggest supporters. His grandson Tyler Shultz worked at Theranos. When the younger Shultz saw the lies and deception that was occurring at Theranos, he resigned. He’d later play a large part in the unraveling of Theranos as a whistleblower and key source for Carreyrou. The senior Shultz was so taken by Holmes, that when David Boies came to the Shultz home to pressure Tyler, George Shultz sided with Holmes and Theranos, and not his grandson.

Be they in the form of someone trying to make a sale, or entice you to let them scan your badge at a conference, there’s no place for booth babes in the information security sales process. The key is to be seduced by the utter effectiveness of the information security product, not the person selling it.

There’s no magic in a Magic Quadrant

Holmes would repeatedly tout that Theranos devices were FDA approved, and had the endorsement of Johns Hopkins University. But there was no real validation and never any independent testing.

One of the most beloved marketing and PR tools is the Gartner Magic Quadrant (MQ). A MQ compares vendors based on Gartner’s standard criteria and methodology. Each report comes with a graphic that depicts a market using a two-dimensional matrix that evaluates vendors based on their Completeness of Vision and Ability to Execute. Every vendors dream is to be on the upper right part of the MQ.

But MQs suffer from an inherent flaw – Gartner does not actually test or use the software under evaluation. And this is the point that is lost on many people – the MQ is meant as a market analysis report, not a recommendation list.

The lesson here for information security is significant – don’t trust an MQ to be more than an inventory of vendors. Do your own pilot tests and evaluation of a product under consideration. Full deployment of enterprise information security solutions can easily run into the millions of dollars. Good testing can bring out flaws in the product. But often more importantly, if the product is even right for the organization.

While a CSO may think they are successful by negotiating a better contract price with a vendor; they can often save huge amounts by having their teams perform internal product testing and validation.

If a vendor shows you that their product is featured on an MQ or has won an industry award, just say thank you and do your own testing.

Don’t use fear as a weapon

Theranos was a toxic environment were employees worked and lived in in a state of fear. Employees who pointed out problems or expressed disagreement with Holmes or Balwani were considered not team players. Theranos made heavy use of legal threats, expensive Silicon Valley law firms, non-compete and non-disclosure agreements, and finally, setting David Boies, the litigator who brought Bill Gates to his knees, on anyone who they saw as a threat.

Mathematician Jacob Bronowski said he once disagreed with John von Neumann. Bronowski realized overnight that von Neumann was right. In the morning, Bronowski telephoned von Neumann to tell him this. Von Neumann apparently replied, “You woke me up to tell me that I was right? Please wait until I am wrong.”

Functional firms operate in environments where collaboration and respectful disagreements are encouraged. Many information security groups are told to be more empowering of new technologies. But if the security technology is flawed; the best way to be a team player is to let the CSO know about it. We are all human and make mistakes. Those who bring those flaws to our attention should be empowered, not litigated against.

A great read

Security awareness is an important part of any information security initiative. The key is to make any awareness presentation interesting and engaging,

For those who plan on reading Bad Blood: Secrets and Lies in a Silicon Valley Startup, make sure to do it in your off hours. It’s so engrossing, you may forget to do you work, and that would be a policy violation.