It's time for more positivity in security. Fear, uncertainty, and doubt do not motivate us to greatness, and it is possible to manage risk and still inspire people.
In the years before decision-makers were alert to the dangers lurking in cyberspace, FUD got their attention-and often their dollars. But security leaders don't have to fight to be heard anymore. Hackers successfully breached big brands, and the media reports those attacks on their front pages. We have all the attention we need. Sure, we have enemies, and lots of them. And, yeah, sometimes they win. But we're not doomed. In fact, we have wins to talk about. It's time to tell the good guys' story.Language links ideas to action
The segment of the security community that defends our national infrastructure doesn't talk about FUD. Warfighters understand the power language has to shape thought and, by extension, to shape outcomes.
|You're never beaten until you admit it. -General George Patton|
No general ever stood in front of a battalion on the eve of a big battle and said, “The enemy is smart and there are a lot of them, so… do the best you can.” That's no way to rally the troops.
Senior people should be motivating folks to fight the good fight. The world we live in is worth battling for, and security leaders should do more than manage FUD. They should lead and focus on the mission of protecting the organization and the people who rely upon it. This is a mission that can be better accomplished through inspiration rather than fear and the apathy of inevitable failure self-talk.Security is better when we team
Most security researchers and analysts enjoy the hunt and the fight, and they share the camaraderie of people who go to war together. This esprit de corps has become more formalized in security culture over the past five years as organizations have learned to cooperate with each other more closely. Security professionals have always shared information, but it used to take place in secret fight clubs that employers knew nothing about. Now, those same employers cooperate with their competitors to sponsor trust circles, so everyone's security teams can stay on top of emerging threats. The need to share intelligence and helpful practices has given rise to closer relationships, and that benefits everyone but the adversaries.
For example, the Cyber Threat Alliance (CTA), a membership organization created for sharing threat information, released research last month on a sophisticated new malware system called VPNFilter. The group that discovered the attack, Cisco Talos, first published its research as known at the time, acknowledging that facts were still unfolding. Updates were shared as learned. But Talos researchers balanced the risks of releasing information early against the benefits others might gain by being forewarned. Now the information is public, and security researchers from all over are contributing to the effort to shut down VPNFilter. This is the sort of mutual effort that seems to come naturally to the security community, and we should celebrate and deepen that cooperative culture.
|Leaders don't create followers, they create more leaders. - Tom Peters|
We need to think about how we're setting ourselves up for the future. What kid is going to want to join the security community if all we talk about is FUD? We should be telling the truth, which is that catching bad guys is exciting and rewarding. Every researcher, even one working at a little IT shop in the middle of nowhere, has the chance to uncover a truly dangerous threat that could hurt a lot of people if left unchecked. That's a story with a hero, and it's a story we should be sharing with young people now, so we can attract the sharpest and most passionate minds to join our ranks in upcoming years.We're good at what we do, so let's talk about that
We're maturing as a discipline, and we have a lot of good news. We're becoming more open. We're recognizing that automation is a help, not a threat. Business and security are becoming more connected as operations move to the cloud and digital transformations are executed. Some vendors are innovating and security service are rapidly evolving. More companies have CISOs on their org charts. These are all advancements that help us do our jobs better and raise our departments' profiles within our organizations.
Now we need to think about who we are as a community: how we perceive ourselves and how we present ourselves. Sure, sometimes we have to be the bearers of bad news, but that's true for lots of communities. We can be more effective in our roles and have better careers if we make a conscious effort to avoid FUD and remember why we do what we do.