Getting Cybersecurity Just Right

At Pythia Cyber we try to give behavior its rightful place in cybersecurity. Often we mean that what your organization's users do is a huge part of the vulnerability picture. Sometimes we mean that the way people react to situations is also a source of vulnerability. This time we mean how your organization models its relationship to your cybersecurity professionals.

This is important because how we define our boundaries at work has a huge impact on people's expectations of themselves and others. Expectations are a big factor in our effectiveness.

So much for the abstract stuff. Let's get concrete. There is a spectrum of relationships that go from too little through too much with a stop in middle for just right.

By "too little" I mean giving your cybersecurity people too little input into your decisions. By "too much" I mean letting your cybersecurity people make your decisions for you. By "just right" I mean working with your cybersecurity people as part of your team and allowing them to set the limits they need to keep you safe but not allowing them to set limits simply to make their jobs easier.

"Too little" from outside the cybersecurity circle is characterized by colleagues who view the cybersecurity folks as their digital chambermaids: we do whatever we want and then they have to make whatever we have done secure. This is not a very effective way to go because none of us knows what we don't know: you likely do not truly grasp the consequences of your actions. From inside the cybersecurity circle, "too little" looks like running after a hyperactive toddler who keeps making messes that you have to clean up. A common cause of "too little" is mistaking cybersecurity having to be aware of every aspect of operations to do the job properly with cybersecurity being control-freaks who cannot stay in their lane. Of course some cybersecurity folks are control-freaks who cannot stay in their lane, which leads us to "too much."

"Too much" from the outside looks like feeling that all your cybersecurity folks do is deny you access to things you need and refuse to provide services that you should have. Being an old school James Bond fan, I call this "The Dr. No Problem." The tail wags the dog and in the name of security every request is assumed to be dangerous, frivolous or both. From the inside, "too much" looks like deciding that your colleagues are hyperactive toddlers who do not understand IT and therefore do not understand the consequences of their actions and who are going to screw up but blame you for it. So it is best to oversee every decision and try to deny every request.

"Just right" from the outside means having cybersecurity in the meetings, but only hearing from them when you need to understand a risk so that you can weigh the benefit. It means trusting them so that when they tell you not to do something you are confident that they have your best interests at heart and not their own interests in mind. From the inside, "just right" looks like being heard when you have input and being aware when major decisions are made.

To quote Edward R. Murrow, everyone is a prisoner of his own experiences. If you are outside of cybersecrity and have worked with intrusive control freaks who enjoy saying no it will be hard for you to avoid the "too little" model. If you are inside cybersecurity and have worked with rampaging toddlers who make dangerous decisions and then expect you to secure the resulting mess, it will be hard for you to avoid the "too much" model. But past experience is not destiny and behavior is not set in stone. Behavior is very hard to change, to be sure, but most of us don't even try to examine our behavior and change it.

Be the exception: temper your own behavior and try to understand other people's behavior. Because, with apologies to the great William Faulkner, cybersecurity is not purely technology. It's not even mostly technology. This is not easy, but we can help.