Hacker, Researcher, and Security Advocate

Month: June 2021

Image of a red stamping of the word plagiarism

Plagiarism at EC-Council, an Open Response

Cases of plagiarism by cyber security certification company EC-Council have been documented for over a decade. As I wrote previously, I personally was one of many victims of this behavior recently. On June 27, 2021, I was contacted by email by the CEO of EC-Council, Jay Bavisi, to inform me that they had released a statement regarding the issue.

On the surface, the statement appears genuine and direct. However, I knew after sitting with it for some time I’d start to see the issues more clearly. So while I immediately shared it on social media, I did not offer any reaction. I’m ready now to openly share my thoughts on this statement.

A Lengthy Response

The statement from EC-Council is long and clearly took some considerable thought to assemble. It touches on some points of accountability and offers some transparency into how EC-Council plans to address the situation. So I’m going to go point by point, offering my reactions to each here.

Their explanation

Graphic with the greeting and first three paragraphs of the EC-Council statement.

In these first couple paragraphs, Mr. Bavisi attempts to address the silence from his organization. Remember this statement came a full week after I first reported the plagiarism. While I’m glad they addressed this issue, why it took a week to investigate and admit wrong-doing is a mystery. Clearly crisis communications are not EC-Council’s strong suit. Still, I’m glad to see he came prepared to face the music. Let’s see what they’ve learned.

What they learned

A graphic showing the first bullet from the EC-Council statement expressing disappointment about the events.

OK, this looks like a good start. This is the first time in the week since my report that EC-Council has used the words “plagiarism” and “sorry”. They go on to loosely explain it as a series of missteps. This is a bit of minimization considering these accusations can be found dating back to 2011. However, nice to see ECC finally admit culpability.

A graphic showing a bullet point from the ECC statement talking about anti-plagiarism tools

The second bullet and things are getting shady already. In their previous statement, ECC claimed their blogs were checked for plagiarism by “industry accepted software.” However, now they contradict that. Alright, so gaps happen. However, it’s the rest of this point that’s troublesome to me. Bavisi attempts to distance this situation from their certification and course content. Of course he does, because those are the primary sources of ECC’s revenue. They are the crown jewels and this situation has undermined their credibility in the market.

The problem is, there is a high profile case of plagiarism in ECC’s exam questions documented on the internet as well. So this becomes a divide and conquer maneuver. Bavisi is already attempting to treat this as a one-off event rather than consider the bigger picture of the culture at his organization.

Whatchya gonna do about it Jay?

Graphic of another bullet in which Jay Bavisi says he takes full responsibility

Um so what does this mean you take full responsibility? You’re the CEO, of course you do whether you like it or not. But this is a meaningless platitude if not met with action. Maybe your following bullets will help explain it more. The unreserved apology is nice, the second time contrition has been presented without caveat. That’s a far better response than the first statement you released.

Bullet saying the blog will no longer be managed by the marketing team

This is an interesting response. In most organizations, blogs such as ECC’s which serve a very specific purpose fall under marketing. It’s called content marketing for a reason. Your blog is setup to offer free materials in order to market your products. So could this be a shift in how ECC plans to leverage their blog? I’ll be staying tuned as that could be something potentially, dare I say, innovative?

Bullet stating that the blog will remain off-line and that they're establishing an editorial team.

This sounds like a great idea. Bring in people who are technical experts to create original content that is high-quality and of value to the community. I think Jay actually read my previous blog and is taking my suggestion on this. Value contribution is a principle I called for them to apply and this sounds like they’re moving in that direction. Well done!!

Bullet stating they are planning to hire an editor with experience in technology and security

Any of my skilled writer friends need a job? I know someone who’s hiring. In all seriousness though, this is a good move and a good investment. Time to bring in someone that knows what they’re doing. Someone connected with the industry and with journalistic practices would be a big improvement.

Graphic of two bullet points that seem to reiterate the previous two bullets

I’m tackling these two together because they seem to go together and express pretty much the same thing I got from the previous two points. These are good moves. An advisory board, and hiring subject matter experts. In the past ECC has relied on free contributions from whoever they could get to provide them with such content. That’s not a recipe for getting the best and brightest. Pay people for their knowledge. That’s how you get quality work!

Bullet stating they'll hire diverse people

Yes you should be hiring across a diverse set of candidates. Your writing pool should represent the same diversity that is in the community you serve. Thinking this is a callback to the situation in April.

Bullet stating they're creating a VLOG to help avoid plagiarism

A Vlog is an interesting approach. However, Jay, be aware that this will not “ensure that plagiarism won’t happen again”. It is possible to plagiarize via spoken word as well. However, it is also harder to find. So, I truly hope that you don’t think just because it’s live or recorded content being spoken on video means that it can’t be plagiarized material. Tread lightly on this one.

Bullet that asks victims of their plagiarism to reach out to them.

I’m not sure what this is asking. Jay, are you asking for all currently identified victims of the plagiarism to contact you at this email? Are you offering compensation or something similar for the works your organization stole and profited from? Or are you looking for further victims to make themselves known? If the latter, I’d say with how trivial it was for us to find additional plagiarized content, perhaps your team should be doing that work. Especially now that the blog is offline so searching it requires use of the WayBack Machine.

Bullet stating they hold themselves to rigorous standards

Oh cool, the rest of EC-Council too? So does that mean you’re making improvements in exam question authoring as well? You need to come through on this promise. I’m sure your missteps so far this year have had an impact on your bottom line. Don’t want anymore of that.

Bullet announcing the resignation of a Marketing Executive

Well, um, what? Jay, I thought you were taking full responsibility? Also, how senior was this marketing executive if they weren’t even listed on the executive team page on your website? This one bothers me. Not that there wasn’t good reason for this person to resign. However, it screams of scapegoat-ism. It ignores that the problem goes higher. Given how long this has been going on and the number of issues (not just plagiarism) at play, clearly there is a cultural shift needed. What is the rest of your executive team doing to make real change happen Jay?

Wrapping things up

Graphic with the concluding five paragraphs of the statement

So the conclusion begins with another apology and Jay again saying he takes full responsibility. Still wondering about that executive marketing leader. Then he announces the upcoming release of their diversity report that they committed to back in April/May. Clearly he wants us all to know ECC is trying to get better. Fair.

The third paragraph is wonderful but perhaps should have appeared early in this statement. Jay actually acknowledging (I believe for the first time ever) that there has been a lengthy history of this behavior from ECC. That’s important because, as I’m sure Jay with his law degree knows, this puts him legally on the hook now. If things don’t get better after this, he has no plausible deniability.

The next statement is nice if it isn’t platitude. Jay reaching out to the community for their thoughts on what ECC can do to get better. Yes, that’s a great invitation, but I hope there’s some substance behind that. I also hope this isn’t a lazy attempt at finding your issues without doing the hard work of introspection. Interacting with and hearing from your community is important, so maybe a good step? We’ll see.

The verdict

Well as I said when I shared this on social media, some good info and some problematic statements. I’m not convinced at this point. Given ECC’s history of this kind of behavior they’ve got a long road to travel. From the responses I’ve seen privately and publicly on social media, it seems much of the industry feels the same way.

I don’t wish for the failure of EC-Council. I don’t think that would be good for our community in long run. However, my opinion could be changed if EC-Council themselves continue to cause damage like this. So for me for now, I’ll be keeping them at arm’s length. They need to show me they’re actually changing. That they’ve learned it’s ok to make profits but that those profits should come from building up the security community not draining from it.

Two intersecting road signs saying Fake and Original

Ethics in Cybersecurity Marketing – Principles of Value Contribution

Ethics in Cybersecurity Marketing is a topic of hot debate among many security practitioners. Cybersecurity vendors are often criticized for how the marketing campaigns they deploy, the promises they make and the practices they use to reach members of the community.

Recently, the cybersecurity community (and I in particular) was the victim of unethical content marketing on the part of an organization we should be able to trust. EC-Council was recently discovered to be publishing blogs that were, in the opinion of a lawyer I spoke to, plagiarized from security and technology experts. One such work was my blog, “What is a Business Information Security Officer (BISO)”. What follows is a description of the events and what I believe needs to be done to correct this horrific trend.

BISO - Business Information Security Officer, white text on black background

The Saga Begins

The recent revelation with EC-Council began on Sunday, June 20, 2021. While performing a Google search to pull the Featured Snippet that had previously been attributed to my BISO blog, I discovered it was no longer connected to my blog. This is normal. Google updates their featured snippets all the time based on content they crawl from the web. However, what caught my eye was that the text of the snippet appeared to be the content from my blog but attributed to a different site.

Looking deeper I found that it was attributed to a blog on the EC-Council website. The preview text, defining what a BISO is, was almost verbatim the same as my blog with only a couple words changed. I went and reviewed the blog in detail and discovered it was a direct copy of my blog, re-worded in many places to disguise where the content had come from. Additionally, a quote from another technology professional (which I would later discover was taken from another site) and some marketing fluff for one of their certifications had been added to the end.

Notification to EC-Council and Social Media

I was hurt, I was angry, I also felt betrayed. You see, in April of 2021, I worked with EC-Council to help them address issues of misogyny and sexism that had come to light. Despite many who expressed a bad feeling about the organization, I tried to give them the benefit of the doubt and a chance to change their ways. Seeing my work plagiarized in this way was another sign to me of the disrespect EC-Council shows to the community they purport to serve. Additionally, by doing this, they had pulled traffic away from my blog where I also seek to foster interest from those looking to hire me as a public speaker.

Google search results showing EC-Council copied blog #1 and original #2
The Google search results showing the previews of my blog and the stolen content on Sunday, June 20.

I immediately sent messages via both LinkedIn and email to EC-Council’s CEO, Jay Bavisi. I also began collecting evidence and posted links to Twitter and LinkedIn to get others’ opinions of what had occurred. This was all early afternoon, Central Time, on Sunday.

The social media posts blew up. Comments, retweets, reshares, and many direct messages expressing anger with EC-Council, and support for my efforts to call out their behavior. At 5:20PM CDT, Mr. Bavisi responded to me indicating that they would investigate. At 8:33PM he responded again stating they would take down the blog while they continued investigating. At 9:35PM I was finally able to confirm that the blog had been removed from their site.

A Pattern of Behavior

For the next 48 hours the only activity was the ongoing discussion on social media. I heard nothing from EC-Council. However, I was informed that my story had been added to a growing list of misdeeds by EC-Council that have been captured on the website attrition.org. Then I received a reply from another member of the Twitter community who had found another instance of an EC-Council blog that appeared to be plagiarized from another source. Over the course of the next hour, I and this individual identified three more blogs, for a total of five blogs, that appeared to be works of plagiarism as well. I reached out to the owners of the original works and was able to confirm with at least 2 of them that they had not provided EC-Council with permission to use and modify their work.

How did we find them? Well it was quite easy honestly. You see, despite efforts to change the wording in an attempt to obfuscate where the content came from, there are always crucial key terms or phrases that can’t really be changed. So all it took was selecting a blog from the EC-Council blog site, finding a few of those key terms or phrases, and then plugging them into Google. Typically the source content showed up somewhere in the first five results. A quick read of the content side-by-side confirmed the overwhelming similarities. From there the process was the same. Save documentation, confirm it was logged in the WayBack Machine at archive.org and then share to social media.

You can find copies of the screenshots taken of each blog for your own comparison in this GitHub repository.

Goodbye EC-Council Blog

Sometime after 9:35PM CDT on Tuesday (when I contacted Mr. Bavisi again regarding the additional evidence), the EC-Council blog website was taken off-line in its entirety. Requests to the blog site were redirected to their home page. In the very early hours of Wednesday morning, EC-Council published a formal statement.

EC-Council Statement announcing the removal of their blog and the publishing of non-original works

It was a complete word salad of legalese. The only mention of the term plagiarism was them insisting they use anti-plagiarism tools. Instead, they referred to the blogs as lacking proper source citation and “closely aligned” in format. Even an apology offered at the very end was full of caveats to ensure there was no admission of actual guilt. As of the writing of this blog, that is where things stand. No personal apologies have been issued, and no other contact or acknowledgement on the part of EC-Council has occurred.

Damage to the Community

The point of this blog isn’t to attack EC-Council however, it’s to use this example to highlight a bigger issue that is growing in the cybersecurity space. Unethical marketing behaviors such as this have sown considerable distrust between security practitioners and the vendors we rely on to supply the defensive tooling and education we need. In EC-Council’s case, they are an organization that serves to educate and certify the skills of cybersecurity professionals. Yet, despite including the word “ethical” in the title of one of their most well-known certifications, their marketing behavior fails to live up.

Not only have actions like this crushed the critical trust that the cybersecurity industry relies on, it also hurts content creators like me who try to share our knowledge to help educate others. The message from this incident is that content creators have to go to ridiculous lengths just to defend our rights. Otherwise, when companies choose to steal our content for their own commercial gains, it’s hard to locate and counteract.

Content Marketing Requires Investment

Based on my time spent creating content for content marketing campaigns, I have a theory that I believe is the likely cause of the issue at EC-Council. All too often, content marketing will hire professional writers who are not domain experts to create new online content. This is ok if it is done correctly. By that I mean the writers act in a ghost writer capacity. They sit down with proven experts to gain enough knowledge and unique perspective to write content on that expert’s behalf. Additionally, they are provided with research tools to further gather enough information to write a quality piece.

The problem manifests when these writers are given aggressive timelines and little access to expertise and research materials. When they’re forced to simply Google for a search term that they want to target, and use the results to craft new content. This creates a situation where the temptation is great to simply leverage someone else’s work to knock out the content quickly.

Organizations need to understand that hiring non-expert professional writers is not a way to cut costs. They should be hired for their skill in writing and then empowered and enabled with the necessary support. Trying to hire professional writers without domain expertise and thinking they can simply learn from Google searches is a recipe for this kind of disaster. Organizations need to support their content marketing efforts with real investment in quality and expertise. There simply is no other way.

Content Requires Stringent QA

If you are going to publish content to your site, that means you have a duty to other content creators. Your duty is that you must ensure your authors aren’t posting plagiarized material. Simply running an automated tool clearly isn’t enough. As described above, despite EC-Council’s claims that they ran a tool, the effort to find plagiarized material was quite trivial.

You need humans that review your blogs. You need to not only ensure accuracy and valuable content, but also that it wasn’t stolen. There simply is no replacement for a human review that can inherently detect when the voicing of a piece doesn’t match that of the author.

Further, organizations need to have a culture with core values and practices that reject such unethical behaviors. If your culture is lax or uncaring, patterns of behaviors like those shown above will inevitably emerge. Organizations need to instill accountability and expect excellence from their employees. Engage with them, support them, and work with them so issues like these cannot persist.

Looking to the Future

I have no clue where EC-Council will go from here. I have no interest in being involved in anyway with their organization. Not even their CISO Mag publication, or their Hacker Halted series of conferences. However, for other organizations out there, take a good hard look at your content marketing practices. Win over customers and advocates for your products and services by providing meaningful and valuable contributions through your content. Offer unique insights, share new perspectives, or highlight practical applications of your solutions to real cyber security problems. Don’t steal and regurgitate the original and thoughtful work of others as a way to capitalize on others’ expertise.

We need trust among the members of our community. Its the only way we can gain the trust of the businesses we’re trying to defend. It’s time that cybersecurity vendors mesh profits and ethical behavior into a singular business vision. That is the path forward that we need.

Powered by WordPress & Theme by Anders Norén