Constant Negative Pressure
13 minute read | Last updated 25-Jul-2018 | 
Rant, Security, Culture Change
Mornings With Mark no. 0086
Watch the episode on YouTube
Join the discussion on LinkedIn
Share on Twitter
Bad Robot Transcript
Morning, everybody. Welcome to the show as you can hear as you can see for those of you watching on the blog. It is absolutely pouring. It’s been pouring for pretty much the last 3 days on and off is ramping up in intensity. And I thought that was the perfect metaphor for today’s topic.
I want to talk about negative environment impact persistently negative environments and maybe not in the way that you think so we all know that there is a challenge around toxic work culture is toxic work environment, but I think there’s a bigger issue or a related issue in cybersecurity that we just don’t talk about enough and that is the fact of a negative attitude and a prevalent persistent negative attitude and it comes in a really subtle form when you’re just starting out in cyber security.
There is a tendency to use a lot of law enforcement and a lot of military analogies a lot of imagery a lot of this sort of like we are the good guys. We are fighting the bad guys. There are constant threats from cybercriminals and hackers and well that may be statistically true being under sort of a red alert non-stop wears down on you and I don’t think people realize just how much it wears down on you individuals on teams and how much that were constantly Under Siege type attitude really has a negative impact on the work but also on the relationships with the rest of the organization, so if you’ve seen me give a talk in public over the last two years, you’ve probably heard my little feel about redefining the goal of cybersecurity.
I am a firm believer in the goal of cyber security is to make sure whatever systems your building work as intended it only as intended the reason why I phrase it like that it’s maybe Splitting hairs, but it’s an important split because it can’t be done alone. It takes a more positive view on the goal of stopping malicious activity stopping attack stopping cybercriminals, but also preventing mistakes making resilient systems.
These are missing these last few things are missing from the definition of cybersecurity when you talk about just stopping bad guys and stopping attackers, nothing more common definition or at least perception of security that people have is that we’re here to stop hackers and yet that’s part of it, but it’s really about building.
It’s about building in a row row Boston resilient way making sure that the business in the organization that we work for our successful because I’ve seen the opposite. I’ve seen The View when the security organization internalizes that belief that they’re there to stop the bad guys there under constant threat.
There is always something lurking around the corner waiting to take you down. What ends up happening is relationships our even more than normal because none of the gloomy Gus, but also everything is viewed through that lens of constant attack. So when somebody says hey, we’re going to roll out this new system that’s going to be great for internal uses because of you to point A to point B.
The first reaction of people were constantly under threat is no hackers can take that down and I could be used against us a new Insider threat. I’m all those may be legitimate risks that persistent negative attitude skews evaluating those risks objectively. So there’s an organizational impact just as important.
If not more important. There’s no personal impact. If you are constantly feeling like you’re under attack like you’re under threat that changes your tone that changes your attitude that has a fundamental change on who you are as a person and that’s a bad thing. You did not want to feel like you’re constantly under threat that you’re constantly at risk.
But you’re constantly stressed out right? I hope that’s not a positive work environment. That’s not a way to actually achieve your security laws, which is why I find that so frustrating if that’s the approach that you’re taking it’s not going to last long. You may have some short-term success.
We make feel like you have some short-term success, but long-term you’re going to burn out you’re going to be depressed. You’re going to be worn down you’re going to developing you against the world sort of attitude because that’s the worldview that you’re pushing so don’t know where their organization affects their personal impact as well.
And I think we don’t talk about those nearly enough. I think we need to take a more positive view of the role of the Year saying cybersecurity is a business enabler. What are the ways you can make it in the neighbors by shifting that persistently negative attitude into a more pragmatic one into a more positive one and two more collaborative one working as an educator within your organization of the threats that are out there, but putting them in perspective because we see hundreds of thousands and Millions of attacks per day on the internet doesn’t mean that those are going to be successful.
It doesn’t mean that just because there are constant hits against your firewall that you are under non-stop Onslaught that’s worthy of your attention set up your defenses build resilient systems, make sure that they’re taken care of all that for you worry about the bigger stuff. So a pet peeve of mine is threat hunting people who spit up for Huntington’s like a we are going to go find these persistent threat that we know.
We’re on our Network. First of all, it feels very much like a snipe hunt. If you don’t know what that is Google it, it’s hilarious but it feels very much like okay. This is a team is tasked with one thing. They’re going to go find existing threats in the network ignoring the fact that there’s a ton of easy low-hanging fruit that needs to be done within the rest of the organization, but it’s simpler from an organizational point of view to sort of Insidious and difficult to find and it’s going to take a long-term effort have to dig it and are the only hope it’s a hero mentality.
It’s a sort of some sure there’s some psychological complex. That’s not a bad activity. It just have that set up again to reinforce this sort of persistently negative attitude. That’s not to say that activity isn’t worthwhile in the proper context when you’re all ready able to patch quickly when you’re able to educate your employees in your team members in the organization on making Smart Security decision when you can work and collaborate with the rest of the teams with an it to deliver resilient systems, I think we have a massive crisis when it comes to cybersecurity culture and I think we need two very very much right this we need to turn around and go completely essentially in the other direction when it comes to culture.
We need to realize that it is a you can take a positive slant on this and still be reasonable. You can still be pragmatic if it still. Send your organization. You don’t have to believe that you’re under constant threat. I’m even if you are you need to be able to put that in perspective.
If you need to be able to work with other teams. I know we tackle some deep stuff here on what do you think? Hit me up online at Mark NCAA in the comments down below is always on the blog and buy email me at Mark n. C a i want to know what you think.
Do you notice the negative attitude? What’s the what’s the impact been on you? How do you how do you fight against how do you become a positive force within the organization rain and it’s beautiful when you’re inside it be nice to see a little bit of sun coming through.
Have a fantastic day. Will talk to you online. I’ll see you on the show tomorrow. Morning, everybody. Welcome to the show as you can hear as you can see for those of you watching on the blog. It is absolutely pouring. It’s been pouring for pretty much the last 3 days on and off is ramping up in intensity.
And I thought that was the perfect metaphor for today’s topic. I want to talk about negative environment impact persistently negative environments and maybe not in the way that you think so we all know that there is a challenge around toxic work culture is toxic work environment, but I think there’s a bigger issue or a related issue in cybersecurity that we just don’t talk about enough and that is the fact of a negative attitude and a prevalent persistent negative attitude and it comes in a really subtle form when you’re just starting out in cyber security.
There is a tendency to use a lot of law enforcement and a lot of military analogies a lot of imagery a lot of this sort of like we are the good guys. We are fighting the bad guys. There are constant threats from cybercriminals and hackers and well that may be statistically true being under sort of a red alert non-stop wears down on you and I don’t think people realize just how much it wears down on you individuals on teams and how much that were constantly Under Siege type attitude really has a negative impact on the work but also on the relationships with the rest of the organization, so if you’ve seen me give a talk in public over the last two years, you’ve probably heard my little feel about redefining the goal of cybersecurity.
I am a firm believer in the goal of cyber security is to make sure whatever systems your building work as intended it only as intended the reason why I phrase it like that it’s maybe Splitting hairs, but it’s an important split because it can’t be done alone. It takes a more positive view on the goal of stopping malicious activity stopping attack stopping cybercriminals, but also preventing mistakes making resilient systems.
These are missing these last few things are missing from the definition of cybersecurity when you talk about just stopping bad guys and stopping attackers, nothing more common definition or at least perception of security that people have is that we’re here to stop hackers and yet that’s part of it, but it’s really about building.
It’s about building in a row row Boston resilient way making sure that the business in the organization that we work for our successful because I’ve seen the opposite. I’ve seen The View when the security organization internalizes that belief that they’re there to stop the bad guys there under constant threat.
There is always something lurking around the corner waiting to take you down. What ends up happening is relationships our even more than normal because none of the gloomy Gus, but also everything is viewed through that lens of constant attack. So when somebody says hey, we’re going to roll out this new system that’s going to be great for internal uses because of you to point A to point B.
The first reaction of people were constantly under threat is no hackers can take that down and I could be used against us a new Insider threat. I’m all those may be legitimate risks that persistent negative attitude skews evaluating those risks objectively. So there’s an organizational impact just as important.
If not more important. There’s no personal impact. If you are constantly feeling like you’re under attack like you’re under threat that changes your tone that changes your attitude that has a fundamental change on who you are as a person and that’s a bad thing. You did not want to feel like you’re constantly under threat that you’re constantly at risk.
But you’re constantly stressed out right? I hope that’s not a positive work environment. That’s not a way to actually achieve your security laws, which is why I find that so frustrating if that’s the approach that you’re taking it’s not going to last long. You may have some short-term success.
We make feel like you have some short-term success, but long-term you’re going to burn out you’re going to be depressed. You’re going to be worn down you’re going to developing you against the world sort of attitude because that’s the worldview that you’re pushing so don’t know where their organization affects their personal impact as well.
And I think we don’t talk about those nearly enough. I think we need to take a more positive view of the role of the Year saying cybersecurity is a business enabler. What are the ways you can make it in the neighbors by shifting that persistently negative attitude into a more pragmatic one into a more positive one and two more collaborative one working as an educator within your organization of the threats that are out there, but putting them in perspective because we see hundreds of thousands and Millions of attacks per day on the internet doesn’t mean that those are going to be successful.
It doesn’t mean that just because there are constant hits against your firewall that you are under non-stop Onslaught that’s worthy of your attention set up your defenses build resilient systems, make sure that they’re taken care of all that for you worry about the bigger stuff. So a pet peeve of mine is threat hunting people who spit up for Huntington’s like a we are going to go find these persistent threat that we know.
We’re on our Network. First of all, it feels very much like a snipe hunt. If you don’t know what that is Google it, it’s hilarious but it feels very much like okay. This is a team is tasked with one thing. They’re going to go find existing threats in the network ignoring the fact that there’s a ton of easy low-hanging fruit that needs to be done within the rest of the organization, but it’s simpler from an organizational point of view to sort of Insidious and difficult to find and it’s going to take a long-term effort have to dig it and are the only hope it’s a hero mentality.
It’s a sort of some sure there’s some psychological complex. That’s not a bad activity. It just have that set up again to reinforce this sort of persistently negative attitude. That’s not to say that activity isn’t worthwhile in the proper context when you’re all ready able to patch quickly when you’re able to educate your employees in your team members in the organization on making Smart Security decision when you can work and collaborate with the rest of the teams with an it to deliver resilient systems, I think we have a massive crisis when it comes to cybersecurity culture and I think we need two very very much right this we need to turn around and go completely essentially in the other direction when it comes to culture.
We need to realize that it is a you can take a positive slant on this and still be reasonable. You can still be pragmatic if it still. Send your organization. You don’t have to believe that you’re under constant threat. I’m even if you are you need to be able to put that in perspective.
If you need to be able to work with other teams. I know we tackle some deep stuff here on what do you think? Hit me up online at Mark NCAA in the comments down below is always on the blog and buy email me at Mark n. C a i want to know what you think.
Do you notice the negative attitude? What’s the what’s the impact been on you? How do you how do you fight against how do you become a positive force within the organization rain and it’s beautiful when you’re inside it be nice to see a little bit of sun coming through.
Have a fantastic day. Will talk to you online. I’ll see you on the show tomorrow.
