We need more humility in cybersecurity. Let me explain …
I was scrolling through LinkedIn and came across a comment on a post about FireEye from my friend Raf Los that reminded me of this issue and a webinar I did with SecureWorld several months back. In the webinar, I was asked what is the one thing that really concerns me the most about the current cybersecurity landscape. I don’t think they expected my response:
Based upon my experience in leading companies through the incident response process, my biggest concern is the lack of humility in cybersecurity.
At one end of the spectrum, the aloof arrogance of convincing ourselves to believe our own b.s. of, “it’s not that big of a deal, we’ll be fine,” “it won’t happen to us,” or “it’s already happened once, it can’t happen to us again.”
At the other end of that spectrum, the prideful, self-righteous arrogance of those who are highly skilled, have great resources at their disposal, and are doing a lot of things really well but still think things like “I have my environment locked down, nobody’s getting in,” and “I’m the best, I’m a stud, I know what I’m doing, we are secure.”
For years I have been “over” hearing the tired old phrases of “it’s not a matter of if but when” and “there’s only two kinds of companies” — phrases that are used to open nearly every cybersecurity conference keynote. But, they still carry a lot of truth. The odds of cybersecurity are virtually impossible — security must get it right 100% of the time across the entire environment — including the third-party risk vector; the threat actors need only 1 lucky shot to succeed. Add to that the fact that the threat landscape is always evolving and much of the time those in security do not even know what they are defending against because it does not yet exist.
Considering this environment, I do not believe any organization can be truly “secure.” We all saw an example of that this past week with the successful attack on FireEye. What organizations can be, however, is resilient — but thinking about resilience requires having the humility to recognize that all can and will be hit — and the need to prepare for how to move forward despite the hits. In other words, it’s time to take the advice of that great philosopher of our time, Rocky Balboa:
Let me tell you something you already know. The world ain’t all sunshine and rainbows. It’s a very mean and nasty place, and I don’t care how tough you are, it will beat you to your knees and keep you there permanently if you let it. You, me, or nobody is gonna hit as hard as life. But it ain’t about how hard you hit. It’s about how hard you can get hit and keep moving forward; how much you can take and keep moving forward. That’s how winning is done!