Watch the episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Morning everybody. Welcome to the show. As you can hear, as you can see for those of you watching on the vlog, it is absolutely pouring. It's been pouring for pretty much the last three days on and off, just ramping up in intensity. And I thought that that was the perfect metaphor for today's topic.
I want to talk about negative environments in fact, persistently negative environments and maybe not in the way that you think. So we all know that there's a challenge around toxic work cultures, toxic work environments. But I think there's a bigger issue or a related issue in cybersecurity that we just don't talk about enough.
And that is the fact of a negative attitude and a prevalent persistent negative attitude. And it comes in a really subtle form when you're just starting out in cyber security. There is a tendency to use a lot of law enforcement and a lot of military analogies. A lot of imagery, a lot of this sort of like we are the good guys, we are fighting the bad guys.
There are constant threats from cyber criminals and hackers. And while that may be statistically true being under sort of a red alert, nonstop wears down on you. And I don't think people realize just how much it wears down on individuals on teams and how much that we're constantly under siege type attitude really has a negative impact on the work, but also on the relationships with the rest of the organization.
So if you've seen me give a talk in public over the last two years, you've probably heard my little spiel about redefining the goal of cybersecurity. I am a firm believer in the goal of cybersecurity is to make sure whatever system your building work as intended and only as intended.
The reason why I phrase it like that, it may be splitting hairs, but it's an important split because it can't be done alone. It takes a more positive view on the goal of stopping malicious activity, stopping attacks, stopping cyber criminals, but also preventing mistakes, making resilient systems. These are missing.
These last few things are missing from the definition of cyber security when you talk about just stopping bad guys and stopping Attackers. And that's the more common definition or at least perception of security that people have is that we're here to stop hackers. And yes, that's part of it, but it's really about building, it's about building in a robust and resilient way, making sure that the business and the organizations that we work for are successful because I've seen the opposite.
I've seen the view when the security organization internalizes that belief that they are there to stop the bad guys. They are under constant threat. There is always something lurking around the corner waiting to take you down. What ends up happening is relationships sour even more than normal because none, you know, a you're the gloomy gus, but also everything is viewed through that lens of constant attack.
So when somebody says, hey, we're going to roll out this new system and it's going to be great for internal users because of, you know, point a point b the first reaction of people who are constantly under threat is no hackers could take that down and that could be used against us or that opens up a new insider threat.
And while those may be legitimate risks, that persistent negative attitude skews evaluating those risks objectively. So there's an organizational impact just as important, if not more important, there's a personal impact. If you are constantly feeling like you're under attack, like you're under threat that changes your tone, that changes your attitude, that has a fundamental change on who you are as a person.
And that's a bad thing. You do not want to feel like you're constantly under threat that you're constantly at risk that you're constantly stressed out, right? That's not a positive work environment. That's not a way to actually achieve your security, which is why I find that so frustrating.
If that's the approach that you're taking, it's not going to last long, you may have some short term success or you may feel like you have some short term success, but long term you're going to burn out, you're going to be depressed, you're going to be worn down, you're going to develop a you against the world sort of attitude because that's the world view that you're pushing.
So not only are there organizational effects, there's personal impacts as well. And I think we don't talk about those nearly enough. I think we need to take a more positive view of the role. You know, we paid lip service for years saying cyber security is a business enabler.
One of the ways you can make it an enabler is by shifting that persistently negative attitude into a more pragmatic one, into a more positive one into a more collaborative one working as an educator within your organization. And yes, being aware of the threats that are out there.
But putting them in perspective just because we see hundreds of thousands or up to millions of attacks per day on the internet doesn't mean that those are going to be successful. It doesn't mean that just because there are constant hits against your firewall that you are under nonstop onslaught, that's worthy of your attention, set up your defenses, build resilient systems, make sure that they're taking care of all that for you, worry about the bigger stuff.
So a pet peeve of mine is threat hunting people who spin up threat, hunting teams. They go, we are going to go find these persistent threats that we know are in our network. First of all, it feels very much like a snipe hunt if you don't know what that is.
Google. It, it's hilarious, but it feels very much like, ok, this is a team that's tasked with one thing. They're going to go find existing threats on the network, ignoring the fact that there's a ton of easy, low hanging fruit that needs to be done within the rest of the organization.
But it's simpler from an organizational point of view to sort of splice off a couple of folks and say your job is to find these crazy deep threats that sets them right up off the, off the bat with a mentality that threats exist that they're insidious and difficult to find and it's going to take a long term effort to dig it and they're the only hope it's a hero mentality.
It's a sort of, you know, I'm sure there's some psychological complex it lines up with and it's not that, that's not a bad activity. It's just that, that sets up again to reinforce this sort of persistently negative attitude. That's not to say that activity isn't worthwhile in the proper context when you're already able to patch quickly when you're able to educate your employees and your team members in the organization on making smart security decisions when you can work and collaborate with the rest of the teams within it to deliver resilient systems.
I think we have a massive crisis when it comes to cybersecurity culture. I think we need to very, very much write this. We need to turn it around and go completely essentially in the other direction. When it comes to culture, we need to realize that it is, you can take a positive slant on this and still be reasonable.
You can still be pragmatic, you can still defend your organization. You do not have to believe that you're under constant threat. Even if you are, you need to be able to put that in perspective, you need to be able to work with other teams. I know we've tackled some deep stuff here.
What do you think? Hit me up online at marknca in the comments down below as always on the blog and by email me@markn.ca, I want to know what you think. Do you notice this persistently negative attitude? Do you feel it? What's the, what's the impact then on you?
How do you battle it? How do you fight against it? How do you become a positive force within your organization? Hit me up, let me know. Let's keep the discussion going. Hopefully it's nicer weather wherever you guys are, even though we need the rain and it's beautiful when you're inside, it would be nice to see a little bit of sun coming through.
Have a fantastic day, we'll talk to you online and we'll see you on the show tomorrow.