It is always someone’s fault. How can it not be? “You left the front door open, and now someone came in and stole everything! I mean, is it even stealing?”. This is the rhetoric I have seen working with all forms of cybersecurity when dealing with clients. Remember, most companies do not reach out for cybersecurity support until something bad has happened. So, there it is, someone needs to be blamed. Why am I saying this, and how can it change?
So… I have spent a number of years working on complex integrations, with politically unstable projects, using underfunded technology with overconfident expectations. I have built applications - middleware and back-end systems and evangelized the cause of DevOps, DevSecOps, and MLOps. I have found myself in more crisis moments than I can remember and somehow have always weathered these storms.
But this has never been an individual accomplishment (think Mr. Wolf from Pulp Fiction.) These storms are always navigated successfully by people, the same people who get blamed for leaving the front door open. Of course, this is complicated but falls into the old story of using mistakes as a valuable teaching opportunity rather than using them as methods of embarrassment and punishment.
If we assume for a moment that I am correct, and it is only people which can make the difference between a chaotic, failed situation, and a positive delivered outcome, then it seems ludicrous that we do not spend enough time building situational control capabilities and coaching cybersecurity professionals or training our staff to handle disasters we can't foresee.
I know that being technical savvy, having the right capability, and implementing the required technology are key elements to a safe and secure environment, however, I want to add that the story cannot stop there. If we fail to engage with people, we lose the one asset which can stop/slow cyber events from happening.
We all know the story of COVID, and how working from home created more breach events than we had seen for a while. The reaction seen in most organizations was clandestine. Instead of a positivist perspective, leading to a clear and functional understanding of access rights and good cyber hygiene, what we saw were negative repercussions to events that blocked people from their behavior without offering them a chance to know why or a way to change, and understand it.
This perpetuated more of the myth that good security requires inherently advanced technical capabilities, and no responsibility was taken to increase security internally. It was simply, as Douglas Adams would put it, an SEP (Somebody Else’s Problem).
I tell my clients, family, friends, and generally, anyone that will listen, that engaging their own teams/employees/people in the problem early on, and at their own level and pace, means that the chance of a follow-up attack, breach or incident is reduced. By showing that awareness makes a difference, and even teaching organizational leaders how to react in a given situation, we ensure there is personal responsibility and start to work towards a proper zero-trust model.
I mention a few statements above - People, Zero-Trust, and Incidents. What really connects all of these is not a hoodie-wearing hacker in a basement trying to steal credit card information, staring at the green matrix screen. It is simply routine. We all know routine from attempts to make changes in our lives and habits, but routines can also be negative. I come into the office in the morning, start up the computer - have a coffee, meet the team and talk about the weather, the latest Netflix series, or some other anecdotal piece. I am likely distracted, not paying attention to my routines on my laptop, my emails, maybe I am clicking links without paying attention, or not signing into the company VPN, perhaps I just received a USB with the latest pictures… these are all examples of patterned thinking, and not thinking about security first.
We want to keep the routine; we just want to add a security focus in the beginning and at the end of it. It is important to create habits for behaviors we see value in. At this point, I probably sound like a preachy personal trainer, and genuinely I could use one of them, but in my opinion, security is an easier domain than body sculpting because it pays off quickly and has enormous wins, and probably more importantly, does not make me want to cry in the changing room later. We need to consider cybersecurity as a people challenge and a people-focused domain.
When writing this blog, I was thinking about the clients I have had, the companies I worked with, and the colleagues both internally and in the industry I have had the pleasure of knowing and working with. Sometimes I am reminded of frustrations, and sometimes, most times, I am reminded of fond memories of achieving aims and goals. These memories are based on people, and it is the people who ensure the success of any given project.
We are often asked to market our solutions under a different name and sometimes even under the egregious use of the “synergy-, fusion-, blockchain- and AI-” prefixes. But the truth is that all these technologies are useful, and naming them differently, in fact, is trying to help people make the right choices in a very complex world. We, as cybersecurity professionals, need to be there to help make these decisions and help implement them in a meaningful way.
At Axon, we are trying to engage our clients in a conversation that incorporates their entire team. It is tricky because in most cases, we are asked to come in after a breach or a complete security breakdown. This means there are legitimate feelings of betrayal and trust issues. So, what we try to do is remain as professional as possible and work with our clients to choose what is right for them, from governance to compliance, to their value proposition and budgets, but even more important is their potential for successful implementation and this always engages people at its core. Our people and your people.