The Invisible Barrier: Your Comfort Zone

At Pythia Cyber we spend too much of our time trying to get people out of their comfort zones so we can talk about an effective cybersecurity program.

Like many domains in which the stakes are high, cybersecurity makes most people uncomfortable. It is arcane. It is hard to assess. It changes all the time. It is out of most people's comfort zone, which means most people just don't want to think about it.

When something is out of your comfort zone the only way to remedy that is through exposure, education and evidence. You need to expose yourself to the thing you want to avoid. You need to educate yourself about the thing you fear is beyond you. You need to collect or review evidence that your fears are not being realized.

However, too many of us shoot past the Learning Zone and into the Panic Zone. No one likes to panic, so no one stays in the Panic Zone for long. The natural thing to do is to retreat back into your comfort zone. Where there is no cybersecurity, or where cybersecurity is presumed to be worked unless and until something terrible happens.

Once something terrible happens, it is too late for prevention but, to quote Woody in Toy Story, it is the perfect time to panic. Now you can panic without feeling guilty. Who wouldn't panic, at least a little, when something terrible happens?

This is why so many organizations are in the invisible box of their comfort zone, like corporate street mimes, waiting for something terrible to happen while trying not to think about it too much.

This is why so many cybersecurity consultants and vendors use FUD (Fear, Uncertainty and Doubt, although we find in cybersecurity that it is Fear, Uncertainty and Dread) to sell to the complacent, or better yet, wait until your hair is on fire before selling to you.

These sales are easier, but often rather unsatisfying. Don't make us close a sale because something bad happened. Don't make us preach prevention to those who clearly did not get the memo.

We know: why check your car's oil levels when everything seems fine? Why visit the doctor when you feel well? Why do seemingly unneeded preventive maintenance when crisis management requires so little forethought?

You know why people do these things. You probably know that you should be more on top of cybersecurity, even if you aren't a CISO and especially if you are. But as the old Irish adage has it, "never trouble trouble til trouble troubles you." That is good advice for getting along with other people. It is terrible advice for keeping your organization's system safe from loss or breach.

Call us when things seem ok, but you want proof that things are OK. Proof is evidence that you can understand and share with others. It is so much easier to effect lasting change when people are calm and focused. Chaos and disaster may motivate you to action but they rarely lead to effective, long-term improvement.