Security efforts are being hampered by business-immature practitioners and stand-offish management, writes Jason Polancich
At 13 years old, I’d had a string of dirt bikes thanks to a motorcycle enthusiast dad and a couple hundred acres of farmland to traverse. I rode constantly and began to think I was not only good at it, but perhaps great. The best, even. I used to brag nonstop to my neighbor, David, and act the superior fool whenever we hung out. There was so much he could learn from me.
One day, he finally tired of it and asked why we couldn’t just ride without all the needless self-promotion. I took that as yet another opportunity to remind him just how much better I was and how he was lucky to ride with me and learn.
Things escalated (as they do when you’re 13 and in the South) and, well, I got my a–… uh, ‘rear end’ beat. Badly, I might add.
Slinking home with a bloody nose, bruised eye, completely humiliated and incredulous, I approached my father who was not only not sympathetic, but amused. What he said has stuck with me my entire life:
“So, your buddy David finally shut your mouth for you. Learn from it. No matter how big and bad you think you are, there’s always someone bigger, badder and better around the next corner. Keep humble, keep your mouth shut and keep working. If you’re really worth it, let other people do the talking. Otherwise, you’re just gonna ruin every friendship and every team you’re a part of.”
For what it’s worth, David ended up riding BMX and motocross competitively on a national team for several years. I never did.
It may sound strange, but more than a few years later, I’m often reminded of that painful personal growth experience as I work in cybersecurity. As I watch cyber defense attempts made by organizations and the solution-makers alongside them, I see my know-it-all, 13-year-old self reflected in how our industry does corporate cybersecurity strategy and tactics. Worse yet, I see that 13-year-old self has been left in charge.
The cold, hard reality is cybersecurity, both end-users and cyber solution makers, is almost entirely being driven by ‘business immature’ security engineers with little or no adult supervision. We lack informed, caring, steady and experienced guidance focused on successful ‘rearing’ of mature, well-functioning team members.
"Cyber defense is a team sport if there ever was one. No one person is capable of being effective against the threat(s)"
As a result, the cyber domain in businesses across the global marketplace is not nearly as well-functioning, well-managed or predictable as other more traditional business units, like sales or finance.
In our cybersecurity family, we have complacent parents and the kids are in charge. And this phenomenon is keeping security operations stunted.
Cult of Me
Our industry also suffers from a ‘cult of me’ problem. Cyber defense is a team sport if there ever was one. No one person is capable of being effective against the threat(s). But, we aren’t working that way.
Perhaps it’s because of the sophistication and esoterica of the domain, the skillset ‘barrier of entry’, its (lightning-fast) nascence, its niche in our job (and global) culture, or the criticality of the problem versus the available solutions. Maybe it’s the phenomenon of tech itself, wherein those who can keep up in the accelerating Moore’s Law race are just that much further ahead it creates a kind of class separation.
Whatever it is, cybersecurity tends to be a place that asserts the individual above the team. It’s the ‘cult of me’ and it’s starting to really hurt our cyber defenses.
Management’s Complacency Problem
With something as dynamic as cybersecurity, complacency plus the ‘cult of me’ equals disaster.
Yet, across the corporate world, management teams seem fine ignoring most of the problem and hoping things will just work themselves out. They’re also spoiling the kids, and very few spend any quality time with them.
More often than not, I see corporate ‘parents’ that are veritably absentee. Maybe there’s a monthly, quarterly or bi-annual check-in briefing or two, but, almost always, it’s ‘here’s some money, now go away and don’t bother me’.
It’s no big surprise how that’s turning out. Problems in youth lead to problems in adulthood.
I’ve yet to encounter a company tracking their cyber domain as they would sales or financial performance. The lack of intelligence on how cyber affects their business is comparable to knowing nothing about your kids’ classes, grades, hobbies, friends and/or enemies, what they’re doing online or where they hang out.
Cyber is a tough domain, to be sure, but could you imagine that same sort of attitude towards finance? Or product development? No way. Successful management in these areas is highly engaged. They closely monitor growth and progress, are deeply invested in future goals, and guide with a steady, consistent hand. Not so with the cyber domain.
As a result, for most enterprises, cyber is not a formal top-level concern with a real seat at the dinner table. And the family suffers for it.
About the Author
Jason Polancich is founder and chief architect of SurfWatch Labs, a cyber risk intelligence firm. He is a serial entrepreneur focused on solving complex internet security and cyber-defense problems, with more than 20 years of experience as an intelligence analyst, software engineer, systems architect and corporate executive.