116 3rd St SE
Cedar Rapids, Iowa 52401
Fear is the mind killer.
This is one of the core values of our company and hopefully it resonates not only with IT and security professionals but also with business leaders. It's more than a quote from “Dune,” it is a good approach for crisis management.
More of our core-values statement says we don't let fear define the need for our services and we don't present a problem without discussing realistic response or mitigation options. There's more than enough to worry about in life and plenty of people telling us to be afraid. We're solutions people, not fear mongers.
Cybersecurity is scary, and if we focus on that fear, it limits our ability to see solutions or mitigate risk. Unfortunately, too many people in cybersecurity culture try to sell with fear.
The tone might be, "Buy this product or you'll get hacked and lose millions!"
That's not a good approach because it rarely works, and if it does work, it is very short term.
CEOs and company owners simply don't "scare" very easily because they live and breathe risk. They weigh the risks and costs of action or inaction and make a reasoned business decision.
Fear should have no part in that.
Another concept to consider is that security is long term.
I love that it is called cyber-hygiene because that is such an apt metaphor. Security isn't a sometimes thing, it is an all-the-time thing.
Sometimes fear makes us decide things quickly in the hope it will make us more secure. That would be like brushing your teeth extremely hard one day in pursuit of good dental hygiene.
Hygiene is about doing the right thing consistently on a scheduled and recurring basis. If we think about security controls in our everyday life, we aren't doing them because we are terrified.
We don't wear our seat belts because we have an immediate fear of a car wreck. We wear our seat belts because we understand it is a good idea, and we simply create that lifesaving habit.
That same concept holds true for using unique passwords, locking our workstations when we leave, and keeping sensitive data in the correct repositories.
Our industry already has too much fear and uncertainty, and the conversation should focus on risk reduction, not reactive knee-jerk efforts based on fear.
For example, if you are responsible for the security program of your organization, perhaps you recently have been asked by your C-suite or board of directors about your defenses against a retaliatory infrastructure attack from Russia.
Where does this question come from? They are likely asking because they don't feel confident about the maturity of the organization's security program, and unfortunately security programs are not built by buying the newest widget and implementing it quickly.
The answer should be that we will continue doing the security controls that we know and love -- but if the security program is already mature, we keep doing the right things.
Great security is methodical and regimented. We protect our businesses based on proven controls, and we try not to react to generalized geopolitical events.
We don't buy new tools based on fear because that will result in an expensive subscription with no people or process to leverage them. In the end we should encourage what successful businesses historically have done.
Measure risk and cost, create road maps based on goals, and execute those plans based on the long term.
Brandon Blankenship is a cybersecurity consultant at ProCircular and a board member of SecMidwest, a Cedar Rapids based not-for-profit focused on cybersecurity education. Go to SecMidwest.org for more information on attending its free monthly meetings.