The loudest voices in cybersecurity are not always the ones who carry the risk. When advice comes without accountability, it creates noise, not resilience.
Years ago, during one of the many times I’ve been in London, I turned on the television one evening. When the television fired up, I found myself watching a political debate between the leaders of different political parties leading up to an election. In the UK parliamentary system, the chosen leader of the political party that wins the most votes is appointed Prime Minister by the monarch. Thus, although there is no direct election for the Prime Minister, I was effectively watching a debate between candidates for Prime Minister.
During the debate, one of the candidates (from a party I had never heard of) floated a policy idea that seemed to me to be a bit ridiculous. A candidate from one of the more well-known parties responded with this quip: “You can suggest anything you want, as you’ll never win and will never have a chance to implement your suggestions.”
I initially laughed when I heard that statement, as I thought it was clever. After thinking about it a bit more, however, I realized that it contained a very important life lesson. Now, years later, when thinking about this story, I realize that there is also a very important security lesson here.
What is that lesson? It is that people who will never have a chance to implement their suggestions will also never need to deal with the consequences of implementing their suggestions. Or, to put it another way, ideas that come from people who have nothing at stake and/or nothing to lose should be treated with a tremendous amount of caution.
I think this is an important lesson for those of us that work in the security vendor and security consultant communities. How so? Practicality and pragmatism based on experience need to drive dialogue, rather than hype and hysteria. It sounds obvious, but it is, unfortunately, not always the case. Hopefully, these five examples will help illustrate the point:
The panic inducer – Selling Fear Instead of Facts
We’ve all been in meetings with a panic inducer. Rather than approach the discussion from a data-driven, logical, and/or balanced perspective, the panic inducer is alarmist. Can a process (whether sales or otherwise) be driven by panic? Yes, of course it can. In the short-term, it may even be profitable to do so. The trouble comes in the long-term. When the alarmist picture that has been painted doesn’t materialize, trust and confidence is lost. That will affect future business, including renewals. In the long-run, it is much smarter to represent risks and threats accurately than it is to raise alarms.
The Hype Rider – Chasing trends instead of evidence
It seems that for every industry trend, there are suddenly “experts” everywhere. I call these people hype riders, and in my mind, I envision them like surfers riding a big wave. While hype riding may get press and lauds, it seldom builds trust and confidence, both of which are essential to any healthy relationship. Despite the attention a given topic may be receiving, experienced and skilled security leaders are not likely to drastically alter their direction because of it. Rather, they will adjust their direction when they see evidence that a new trend introduces risks and threats into the enterprise. Speaking to this mentality is much more effective than chasing the latest wave.
The Chicken Little – Drawing big conclusions from small data points
In the fairy tale Chicken Little, the chicken mistakenly believes that the sky is falling after an acorn falls on her head. The chicken then proceeds to panic the other animals, ultimately resulting in those animals being tricked into being eaten by the fox. While there are many lessons one can take from this story, among them is the danger of drawing the incorrect conclusion from a data point and charging forward in that direction. In the security community, we need to be very careful about this. Sometimes, there is a tendency for people to charge forward in the wrong direction. Not surprisingly, this approach will not resonate with seasoned security professionals who have experienced this more than a few times.
The Pessimist – Overestimating risk and burning resources
There are some people who paint everything as doom and gloom. While this may make for an interesting theoretical talk, it isn’t a way to run a security organization. Security leaders need to assess risks as objectively as possible, prioritize those risks, and mitigate them as budget and resources allow. The pessimist’s approach to security is not realistic at all. It essentially results in risk being assessed as far higher than it actually is. That, in turn, results in resources being burned on efforts that don’t provide the amount of value they should and don’t mitigate the amount of risk they should. Experienced security leaders know this, and thus, taking a pessimistic approach when attempting to have a dialogue with them is seldom effective.
The dismisser – Rejecting solutions without understanding them
Some people find the solution in every problem, while other people find the problem in every solution. We’ve all met people who dismiss all ideas and claim that none of them will work. While, of course, not every idea proposed will work, some of them likely will, and there may be more than one way to solve a problem. Dismissing all potential solutions other than the one you and/or your company can provide isn’t going to help your efforts. Rather, know that it is far more effective to understand how your product or service can fit into the security team’s desired solution.
It might be fun for some people to go around creating panic and distraction, but it does our industry and our profession a disservice. When the panic recedes and sensibility returns, practical ideas and suggestions that facilitate security organizations focusing and moving their efforts forward will win out. It may take some time for the pragmatic amongst us to have a constructive, meaningful dialogue over the shouting of the alarmists, but it will happen. Simply put, security practitioners can’t just propose every inane idea that might cross their mind like some people can, since they will ultimately need to deal with the consequences of those ideas. This is the valuable lesson in the debate story I opened with, in my judgment.
Related: Rethinking Success in Security: Why Climbing the Corporate Ladder Isn’t Always the Goal
Related: Actions Over Words: Career Lessons for the Security Professional
