Archive 3 min read

Ignorance & Risk

Some perceptions override the logic behind risk decisions. How do you fight through to make a sound decision?

Ignorance & Risk

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Good morning, everybody. How are you doing today? I hope you had a fantastic weekend that are set up for a wonderful Monday uh coming to you early today. Um And not because I'm on the road, as you can see, I'm actually here uh in my home studio.

Um I'm coming to you early because I've actually got some work going on in the house today and that's what I wanted to talk about today. Not about the work itself but the perception around real world risk and sort of ignorance of the details of the issues or more of the ability or tendency for people to stay focused on sort of a preconceived notion, whether it's correct or not so quick, little backup, gonna roll this back for a second.

Um I live in an older home and it's a beautiful place and we really love it, but we're having some work done downstairs. And um when the house was built, way, way, way back when it was not uncommon to use asbestos in the foundation on uh some products used around the foundation.

Um Now that we're having some work done, we need to have um a qualified team come in to remove that. Um, no, it's no big deal. But as soon as you say that word, asbestos, people have a preconceived notion and they're like, oh, wow.

Ok. This is a disaster. It's a nightmare. Da, da, da. The reality is, it's not a big deal. Um, there are very known risk factors to asbestos. Of course, it's a horribly toxic and carcinogenic substance.

It will make you sick, um, especially over the long term, but dealing with it is a pretty much a known quantity. It's not a crazy thing to have to remove it. Um And to do that properly, you get qualified um abatement company and they'll take care of it.

But that preconceived notion of like, oh, this is horrible, you're all gonna die stands true in a lot of things. And that's what I want to talk about today was that preconceived notion when it comes to security because I run into this way more often than I should that people are freaking out about.

They hear about a vulnerability, they go remote code execution. No, that's bad. You need to stop that immediately or you know, your entire company can grind to a halt. Yes, it's bad. You don't want people remotely executing code on your systems without your permission.

Um But is it the end of the world? Probably not? You need to put it in perspective. How likely is the vulnerability to be exploited? Um How many systems that you are running currently in production have that vulnerability.

Can you use some other mitigation method like an IP S rule to stop that vulnerability to from being exploited while you can actually fix the problem? But it's that initial pushback, that initial freak out that too many security teams buy into.

You need to be pragmatic. You need to step back, you need to be emotionless, data driven and realize what are the facts of the matter. OK. This is a vulnerability. It only affects 10 out of our 1000 servers.

We can put a mitigation in place or you know what that's running a noncritical service. We can put that service to the side for the moment and isolate it or, and monitor it closely or we can even shut it down while we're fixing the issue.

It's not critical. But that initial push back that initial, ah, it's horrible. We need to fix. It is all too common and it's understandable from another, a number of issues. People really like that.

I'm doing something, I'm feeling valued, I'm providing, you know, value to the organization, I'm pushing and increasing the security posture, but don't buy into it. Hold back, use the data at hand. If you don't have the data, do the research and the leg work to get the data in order to make a decision that's based in logic, just because you initially freak out doesn't mean that's the right reaction.

Now of course, sometimes it is but you should have the data to prove it. What do you think? Hit me up online? Let me know at marknca uh in the comments down below or by email

What do you see in that relation between real world risk, the actual risks themselves and people's initial reaction. Can you gather the data to overcome that or do you have to deal with that emotional side and work through that?

I think it's a really interesting issue one. I look forward to speaking to you uh about um and I hope you're set up for a fantastic day. I will talk to you online and I will see you on the show tomorrow.

Have a good one.

Read next