Your Friend the Cybersecurity Curmudgeon

Were we born this way? Was it something in the water? Is it a defense mechanism?

Let's face it, lots of us who have been in cybersecurity for a while seem to have some common personality traits:

• We don't embrace change for the sake of change.
• We look to the hurdles to be overcome before we dream about the outcome.
• We want to see evidence before we'll believe your claims.
• We often eschew a GUI for a good, old fashioned, green on black text-based interface.
• We tend to be methodical and buried in the details, even when you're trying to ask us to see the "big picture."
• We earn the "department of no!" moniker. (And we're often proud of it)

All of this often causes friction when we interact with others. After all, our job is to keep you and your organization safe. Your job is to do something else within the organization and while our goals may align at the 50,000 foot level, on the ground we're all pushing and pulling in our own particular directions.

I also know that there's a deluge of articles, books, talks, and media telling cybersecurity people to think more about business goals and business needs. Hell, I've written, said, published, etc. some of it myself. But if it is good for the goose, it is good for the gander, so this post is dedicated to helping other people "get" the cybersecurity curmudgeon, and think a bit more like they (we?) do.

Burnout, But Without Horsepower

Look, if we've been in cybersecurity for more than a decade, we're not the kind of people to say "gosh, it's a shame that breach happened. Ah well, on to the next thing." No, we're the ones who will obsess over making sure it can't happen, and we agonize over the idea that it could or will. We have a hard time understanding the point of view of people who don't think this way - how is this NOT your number one priority too?

We have a personal stake in good cybersecurity. We take good cybersecurity personally. And when that is threatened we take that personally as well. Yet we know that we've done this to ourselves - we are the zealots who know perfect cybersecurity means cutting the wire to the Internet connection, but we are realists enough to know enough to realize business can't happen that way, and we're empathetic enough to try to balance those two things in a meaningful way. Why yes, those are big conflicting goals to navigate, aren't they?

Sounds like a recipe for burnout, don't you think? And I'm not talking about the kind that leaves fresh black stripes on the pavement.

One of the hardest decisions of my career was choosing to leave a job I loved because I realized that the company didn't share my security priorities. Mind you, this is a company that has data on nearly every adult person in the United States, and access to their private financial information. I was torn between wanting to protect all that important data - the data of both complete strangers AND everyone I know - and recognizing that I couldn't do that in a way I would find meaningful.

Zero Trust Isn't Just an Architecture

We come from an industry that coined the term Zero Trust. If that doesn't give you an insight into our collective psyche I don't know what will. That concept is about recognizing that there is no "safe" collection of systems and people, everything and everyone is suspect. Hey, even us paranoids have enemies, as every data breach and ransomware event in the past 20+ years will attest.

Good cybersecurity requires not just strong technology and strong technical controls, but the willing cooperation of at least MOST members of the organization. Oh, and a whole pile of analysis - both by people and systems - to work. In our daily lives we just don't see the evidence of this cooperation being as prevalent as it needs to be. The WiFi password for the corporate network (not the guest one) written in permanent marker on the whiteboard. The employee who insists on forwarding all their company email to their personal account - and got their boss to pressure the CISO to allow it.

Pressure's Gonna Drop On You

Toots & The Maytals - Pressure Drop (Single Version)

Listen to Pressure Drop (Single Version) on TIDAL

Music on TIDAL

Toots and the Maytals probably didn't know it when they recorded this one, but it could be considered an anthem for cybersecurity first responders. While I don't have empirical evidence to point to, I have to believe that stress levels for people who have to react to breaches is every bit as high as ER medical staffs, paramedics, firefighters and other first responders who deal with high stress situations. It's only data you say? How could that be high stress? Let's just review a breach for a moment, shall we?

During a breach your cybersecurity team is going to be under high stress. The entire rest of the organization may be told to not report to work, but your 8x5 team is going to be expected to work 24x7 until things are resolved. Executives are going to be demanding answers before you've even had time to investigate. And blame will always start with your department: why weren't YOUR defenses good enough? What did YOUR TEAM do wrong? Then add in the stress of legal jumping in, trying to negotiate with a ransomware gang, hiring incident response subcontractors at a moment's notice, etc.

How do you make time to recharge yourself during this sort of incident? (As an aside, did you know that many professions from truck drivers to airline pilots have pretty strict rules about how long they can work continuously without a break, and how long a break they must take before being allowed to work again? Yeah, there's no such thing in cybersecurity.)

The aftermath of an incident usually involves a "root cause analysis" which, often as not, becomes more of an exercise in scapegoating/avoiding blame than in really improving the security posture of the organization. Then we all get to do it again on Monday!

No, breaches don't happen at every company everyday. The best way to make sure they don't is to have a robust, consistent security program that everyone buys into, but we all know that's not always going to be the case.

Those Were the HighLowlights, So Now What?

I started this post the the admonition that cybersecurity people are hounded to "better understand the business." Well, I'm going to ask you to turn that advice around and ask the business - or at least the people - to better understand cybersecurity, or at least the demands being placed on cybersecurity practitioners.

Our Discipline Is Nearly Brand New

You're right in thinking that cybersecurity - or as we used to call it, information security - has been around for about 30 years, give or take. But let's compare that to sales, marketing, accounting, contracts, consulting, manufacturing...all of which have not just a few decades but actual centuries of history, refinement, and growth. Heck, even software development has more than double the lifetime that cybesecurity does. The first graduates with cybersecurity degrees didn't show up until about the turn of the century - most of us first generation practitioners have other degrees. We still don't even have universally accepted metrics for showing progress or even efficacy within our discipline. So please have a little grace, we're still figuring this out.

We're Still Trying To Retrofit Unsecured Systems With Modern Security

If I had a dollar for every time in my career I heard "but we've always done it this way," or "the system just isn't designed to do that," I'd be retired on my own private island somewhere. Yes, even after three decades cybersecurity is still a "bolt-on" rather than a "built in" capability in a great many systems and solutions. So please, have some grace as we're still trying to take all the business systems you've spent money on and trying to cost-effectively make them secure without some sort of overarching architecture and infrastructure that was designed to be secure from the ground up. Sometimes we let ourselves get lost in the details of that and need to come back up for "air" and the 10,000 ft picture.

Help Us Help You

Good cybersecurity is useless if the organization doesn't embrace it. So much of that depends on you in sales, accounting, on the production floor, in HR, etc. There are plenty of little things you can do, like using the company approved messaging app instead of sending a text, or using the company provided storage options instead of your own "unofficial" Box or iCloud environment. But there are bigger things as well. Recognize that we are all trying to do right by our organization, and work with us when we come to a disagreement. I'm willing to bet that you'll find we are a lot more "reasonable" to work with when we're invited in as partners early on instead of being treated as end-of-process obstacles to be run over/through/past as quickly as possible.

The Cybersecurity Curmudgeon IS Your Friend

Really, we are! Though sometimes we seem to be a cross purposes we're really doing our best for the organization. We're human, and we're under stress that you may have never seen, understood, or thought about. I hope these ~1700 words help you understand your friendly neighborhood cybersecurity curmudgeon a bit more, and can improve your working relationship with them/us. I promise you, we're trying to be better corporate citizens as well, and meeting us in the middle would do wonders for all of us.