Yet, day to day, things still function.
For most people, most of the time the internet still works, meaning it allows us to get done what we need to do.
How broken it is depends on whether you’ve been attacked and the cost/consequence. At one end of the spectrum, it’s inconvenience. At the other, it’s a terminal event.
As cybersecurity advisors we therefore navigate different terrain.
On the one hand, we must honestly advise that attacks are inevitable. CISO’s now have one of the most difficult jobs in the world - I’d say, without disrespect, along with COVID front line workers.
The challenges are clear:
- empowered attackers
- ubiquitous vulnerabilities
- interdependent systems
- apathy, ignorance, denial.
This results in the asymmetric threat landscape we all know so well.
But on the other hand, the world has so much invested in our connected systems that this is a war we can’t afford to lose.
From what I understand of the attacker playbook, the general preference is not to kill the victim. Tax their weaknesses by all means. But allow them to survive for future exploitation.
The problem lies in the aggregate. From the victim’s standpoint, a thousand cuts, each from a thousand different attackers, still leads to death.
So, in the opportunistic free-for-all that cybercrime has become, there is no threshold at which a target can relax.
This enervates the increasing problem of cyber fatigue.
How do we maintain own / client / CISO / board enthusiasm in the face of apparent hopelessness?
Relatedly, psychologists refer to learned helplessness. Paralysis of will due to constant exposure to fear based situations. The media has a lot to answer for. They exploit our hard wired, evolutionary tendency to amplify threats and downplay the positive.
The balance we want to achieve as cyber professionals is how to keep our audience engaged enough to act, but not so overwhelmed as to give up.
My recommendation is that we need to reframe the role of cybersecurity professionals from ‘preventionists’ to managers.
- Do what we can by way of prevention … but accept that the inevitable will occur.
- Prepare for it as best we can.
- Support those on the front line.
- Inform the market, but not to the point of despondency (ours or theirs).
It may be time to recalibrate public expectations — like COVID — that this can be overcome quickly.
One of the by-products of the Information Age is impatience. The instantaneous society with its short attention spans is ill-suited to tackle challenges that take long, concerted, sustainably resourced efforts to win.
When progress is so slow and spirits wane, it’s time to remind ourselves that a marathon requires a different mental approach to a 100m dash. This is about developing an adaptive mindset. That of survivors, not victims.
I’m not sure exactly what that looks like so maybe you can share some thoughts about this challenge if I can cast it thus …
How do we tweak the cybersecurity paradigm to align undeniable reality with enough hope that we / our clients / our colleagues can remain happy, sane and engaged.
Or, what will it take at the human and technology level to sail this battered ship into clearer waters?
In 2021, what does success look like? Please feel free to comment below.
About Peter Coroneos
As regional tensions increase, the need for coordinated international action against cyber-security attacks becomes paramount. And no one is more up to spearheading the task than Peter Coroneos, the International VP of the CyAN, the Cybersecurity Advisors Network.
Twice invited to the White House to brief Obama Administration cybersecurity leadership, Peter Coroneos is an internationally recognised authority on cyber policy, an Internet industry leader and an activist and policy innovator. He was also behind the development of icode, an industry-wide botnet mitigation program developed while he was head of Australia’s Internet Industry Association. It saw widespread uptake in Australia covering most Internet users and was later adapted by the US telecommunications industry for the benefit of almost 100 million users.
Appointed International Vice President of the global Cybersecurity Advisors Network (CyAN) in July 2019, Peter champions innovation in critical cyber skills, capacity building and behavioural change while supporting the business, professional and personal development the organisation’s members.
His 2018 book, The Cyber Breach Communication Playbook, co-authored with Michael Parker, is described by Justin Milne, MYOB and Netcomm Chair as “compulsory reading for all executive and non-executive leaders” and by David Spence, Chairman PayPal Australia, “We need more books like this to life our cyber resilience”.