Seeing Only Shark Fins and Discarded Plastic Shopping Bags In an Sea of Beauty, Elegance and Plenty
Cyber security types, as a rule, are not sunny-dispositioned, overly-optimistic Pollyannas. This is hardly surprising. We spend our professional lives focused on system and network failures, things like:
· Software with nearly-unbelievable latent vulnerabilities
· Malware infections at scale
· Networks DDoS’d into oblivion, and
· Breaches of PII involving millions of records.
All clear failures, all dire situations that require professional expertise and attention in order to mitigate. Because we spend so much time policing up total disasters, cyber security people often overlook and ignore the ocean of success in which we collectively swim:
· Secure code
· Clean systems
· Highly available networks, and
· Secure databases.
In an online ocean of beauty, elegance and plenty, all we’re able to see is badness: shark fins and discarded plastic shopping bags. Don’t risk swimming or fishing or sailing – there’s danger and pollution everywhere! That’s really a shame. We’ve allowed a bunker mentality to make us timid and withdrawn. We’ve traveled to a tropical paradise, only to cower in our beachside hotel rooms, never feeling warm tropical waters on our skin.
Today’s cyber security culture largely discounts or ignores the Internet’s overwhelming success. We’ve become cable news journalists, continually searching for new tragedies, new disasters. Professional pessimists and paranoids, we search for evidence supporting our persecution complex: yes, the world really is out to get us, see? We take pride in being skeptical, street smart, cynical, and distrustful. Our demeanor is routinely grave, heads shaking back and forth, clearly conveying that the audience should not expect the patient to live, even with our own herculean efforts and the conveyance of much treasure. This is a mistake.
We Need to Focus on Replicating Success
While it can be educational to see how systems fail (has any engineering student ever graduated without seeing the Tacoma Narrows Bridge collapse?1, in order to make sustained progress we actually need to study our successes, not just focus on our failures. We need to codify practices that will allow us to confidently strive forward, not just look creep forward while looking nervously over our shoulder. We need to “accentuate the positive”2 and “franchise” recipes that empirically work.
This is part of the mission of CyberGreen: we need to recognize and publicize cyber successes, and understand why those successes happened, rather than perpetually focusing just on how things went wrong. When we understand the path to success, we can help others to travel along that same path. We can go from being a culture focused on failure to a culture that recognizes, celebrates and shares success.
So I propose a small daily challenge. For a month, every morning think of one positive step you can take to be more secure online that day. Just to get you started, as an example, make sure your systems are all fully patched up to date. What will your morning affirmation be tomorrow? And having come up with one, will you share it with least a handful of your friends and family members?
Author: Joe St Sauver, Ph.D., Scientist, Farsight Security, Inc.
Member of CyberGreen’s Statistics Experts Group