Cybersecurity Games

At Pythia Cyber we espouse real-world consulting. People always nod earnestly when we say this: doesn't everyone want to live in the real world? Why even bother to say this, let alone stress it as one of our core values?

The opposite of living in the real-world is distressingly common. The most frequent causes of this are:

1. Innocent ignorance: you have been sold a lie and you believe it. For example, "this piece of technology will make your network safe from attack, no matter what your users do."
   
   
2. Bad leadership: you have sent the message to your staff that failure is not an option, so when the inevitable failure come, your staff conceals them. This usually involves misleading you, leaving you living in a fantasy. Worse, these misdirections often compound, making you ever more distant from reality. For example, "you said that piece of technology would protect us, so we dare not admit that it failed."
   
   
3. Malice: someone in your organization wants something or to do something that cannot be justified, but they take it or do it anyway. In order to cover their tracks, they engage in omitting information or misinformation. Either way, you end up disconnected from reality. For example: "your preferred vendor can't get through our firewall to provide support so we need to use my preferred vendor."

This least example happened to us very recently. We were told that the IT department had a new remote access technology, so the one we were using stopped working. We were not told how to use the new technology, but we poked around a bit. To make a long story short, we had a horrendously tortured time getting back on-line. It took us tens of billable hours and weeks of elapsed to get plugged into the new process. Since we are domain experts, we soldiered on through the administrative swamp and the technobabble storm until, at last, victory was achieved. We are now back where we were before.

We were more than a little motivated to figure out why this process was so painful. Come to find out that this additional pain was mostly malice. One of the players wants to use another vendor. That player hoped that they could hide behind cybersecurity policy and technology and make our lives so miserable that we would simply gave up.

Sadly, this is not the first such experience we have had, nor will it be the last. Cybersecurity is often weaponized because it has two features very useful to the malicious actor: cybersecurity is obscure and it is important. This means that making decisions which strike your colleagues as strange gets little push back (obscure) and is often met with resignation (important).

If you find yourself wondering why your cybersecurity team has made a particular decision, ask for an explanation--and expect an answer that makes sense. Cybersecurity is risk management. Risk management is about weighing risks and costs. These decisions should be made carefully and deliberately and therefore should be explicable. Don't accept "it is too complicated" as an explanation. Keeping your organization safe is hard enough when you do it honestly and transparently; don't make it harder by allowing people to be dishonest and secretive.