- Everyone Knows What "Cybersecurity" Means
- We Can Measure How Secure Our Systems Are
- The Primary Goal of Cybersecurity Is Security
- Cybersecurity Is About Obvious Risks
- Sharing More Cyber Threat Intel Will Make Things Better
- What Matters to You Matters to Everyone Else
- Product X Will Make You Secure
- Macs Are Safer Than PCs, Linux Is Safer Than Windows
- Open Source Software Is More Secure Than Closed Source Software
- Technology X Will Make You Secure
- Process X Will Make You Secure
- Faerie Dust Can Make Old Ideas Magically Revolutionary
- Passwords Should Be Changed Often
- Believe and Fear Every Hacking Demo You See
- Cyber Offense Is Easier Than Defense
- Operational Technology (OT) Is Not Vulnerable
- Breaking Systems Is the Best Way to Establish Yourself
- Because You Can, You Should
- Better Security Means Worse Privacy
- Further Reading
This chapter is from the book
This chapter is from the book
This chapter is from the book
What Matters to You Matters to Everyone Else
The first chapter of Todd Barnum’s book, The Cybersecurity Manager’s Guide, is entitled “The Odds are Against You.” Barnum acknowledges that for managers in most environments, “nobody in the company, outside of your team, usually cares much about InfoSec.” Even if senior leadership says they care, is that supported by money and other resources? We do not subscribe to the view that nobody cares about cybersecurity, but we should stop expecting our priorities to match those of other people.
People in cybersecurity are hired to help deliver cybersecurity. True story. These people are rewarded, personally and professionally, for ingenuity and performance in protecting networks. As with other professions, the more we specialize, the more narrow and specific our interests and care-abouts become. If our job is malware analysis, we are (reasonably) likely to believe that understanding malware is key to cybersecurity and advocate for more attention and resources. If we are cryptographers, malware analysis is nice, but crypto34 is essential. When we extend this approach more broadly, we start to see a bigger picture and consider more perspectives. For the CEO of a wastewater treatment plant, cybersecurity generally is nice but not the primary objective—maybe not even in the top 10.
In a twist of irony, research shows that even people knowledgeable about cybersecurity sometimes behave more dangerously than expected. For example, “self-described experts reported less secure behaviors and had less knowledge about cyber hygiene than other participants.”35 So, even what seems to matter to someone based on expertise and experience might not manifest in their behavior! We are creatures of contradictions.
How do we avoid this myth? First, avoid assumptions. If we find ourselves saying things similar to “Obviously the CIO must care that we install these patches right away,” seek clarification directly. There might be extenuating circumstances we could not possibly know about leading that person to hold different priorities. For instance, installing a patch that requires a reboot might interfere with the annual shareholders meeting or a big marketing event. We might find that installing that patch results in criticism rather than praise!36
A key idea here is the need to consider “context.” This relates to our mention of protecting our cookie recipe versus protecting a government system. What is true in one context may be nonsense (or a myth) in another! It is important to understand the context when planning and executing whatever strategies we may employ. Resources, goals, laws, personnel, values, and history are all part of the context (among other things). We need to know our context, whether we are a CISO or a Chief Elf Officer (CEO). Note that this is true of many other things we talk about throughout this book!