People Are Your Best First Defense

Teaching your people to recognize when someone is trying to pull a fast one is a hotly debated topic in security. There is value in it to be sure, but the technically inclined have a bias towards solutions – products or services – rather than relying on “wet-ware” (human brains) because the latter is more susceptible to a wider range of vulnerabilities (emotions). Of course training only helps when everyone participates and you hold people accountable.

 

Business is Good

Your regular reminder that you’re going up against professionals who are looking for an ROI, just like everyone else. Be expensive and you’re less likely to be a victim. It’s not a guarantee, but at least you go down knowing they paid a heavy price.

 

Relax, Francis

Every time a security mechanism is found to be flawed, security donks jump and dump all over it. “You shouldn’t use X, you should use Y!” they shout to anyone within listening distance; all without having any idea how those people live their lives, what those people’s enterprises are like, or their business models work. The best advice is going to come from the expert who spends 90% of their time listening, and 10% telling you what your options are (not what you ‘must’ do).

 

Would It Make a Difference?

Do we need a cyber coordinator in the White House? In this particular administration would it even make sense? Looking back, can anyone point to a time when any administration put so much emphasis on cybersecurity/conflict that the position was critical to success? The value isn’t zero, but then you can’t point to more than a handful of examples of government efforts making cyberspace a safer and more secure space in a meaningful way, at scale. 

If It Bleeds It Leads

Selling fear works, clearly. Read any airport concourse billboards lately? Ever see what happens at companies in the X field when one company that does X gets pwnd? It would be amazing if we could all mount sound, quantifiable arguments about the importance of security, but by and large we can’t. Even if we could, security is not something anyone wants, it’s what people are forced to do. As long as that’s true, a little hype is all we’ve got.

 

What’s Taken So Long?

I’m not a big fan of ‘hack the X’ programs, where X is some government entity or system. Everyone is patting each other on the back when they launch, conveniently ignoring that they’re 20 years behind the curve. To be fair, hackers don’t give you a deliverable. Having said that, you could spend your lunch hour talking to satellite SMEs and come away shocked at just how important a project like this is (the things you could do after a trip to a Radio Shack). 

A Good Business Decision?

I find the idea that a majority of companies are prioritizing cybersecurity over productivity exceedingly hard to believe. It would take a very aware and enlightened enterprise indeed to know that not making security-first would lead to their imminent downfall, and we all know the biggest problem facing every enterprise is simply knowing what it is they have to protect, never mind actually protecting it.

 

Forward Political Progress

I don’t mind taking a little heat up front when I proffer theories about attacks on government legitimacy via mechanisms like ransomware, especially when confirmation at a national level follows not far behind. States and cities have the same problems the feds do, what they lack is the money. Expertise too, but you can solve that with money.