By the title of this post, you might think this is some kind of a complaint by a disgruntled security officer—unhappy that his users will not pick longer passwords or change them every thirty days. But I am not here to complain, I am simply pointing out a fact. No one cares about cybersecurity, nor should they. That is because cybersecurity is not the end goal—it’s only a means to get what we really want: risk transference, pain avoidance, and peace of mind.
An Abstract Speculation
I came to this flash of the blindingly obvious several months ago while I was trying to convince another potential client to invest some of his organization’s limited resources toward a cybersecurity assessment. In the end, he declined my services, and I was puzzled. Why didn’t he connect the dots between hiring me and improving his organization’s cybersecurity protections? Maybe I hadn’t explained what I do well enough. Maybe he didn’t understand how assessing his current security mechanisms would allow me to pinpoint his organization’s weaknesses and recommend fixes. Maybe he didn’t understand that my team was NSA-certified and would deliver a high-quality report. In the end, I realized he just didn’t care about cybersecurity all that much.
And why should he? It’s really an abstract speculation. How secure are you? Can anyone provide an objective answer to that question? Cybersecurity experts propose various metrics and standards, but does anyone really know just how “secure” (or resilient) they really are? No. And even if you could answer that question, what difference would it make? The thing that IT decision makers really want is for someone to help them make this awful problem of hacking go away. They want a happy life and to not have to deal with unpleasant things like data breaches.
IT managers want a well-respected cybersecurity firm to perform a competent audit of their systems and identify issues that need to be resolved. Not, necessarily, for the purpose of becoming more “secure” but to be able to transfer the risk (blame) of the next security incident to the security auditors. They want to be able to say, “I’m not sure why this happened. We hired the very best pen testers from Pretty Good Security, Inc., and we fixed all the critical issues they identified…” It’s not exactly an Oscar-winning script, but it’s better than “deer in the headlights” (which is the standard look for most IT managers after a security incident).
My very best long-term cybersecurity clients are the ones that have experienced a painful and costly security incident. Why? Because they know how expensive and painful a data breach is. While the majority of potential clients debate whether to have a pen test in the third or fourth quarter of the year, data breach victims schedule their security testing right away—and frequently. They recognize that an ounce of preventative security testing is worth a ton of incident response.
Peace of Mind
There’s a certain comfort in knowing that you’re proactively testing your cybersecurity, fixing what’s wrong, and monitoring for anything else that gets through your defenses. It leads to an understanding that they’re much better off than they used to be and that any hacker that does succeed to bypassing their protections or finding a weak link in their security posture, will be detected within a reasonable amount of time and dealt with. The more they look into their own security, the more they identify additional security issues that had been previously missed or needed correcting. After a time, this process leads to peace of mind—not because security testing makes you “hacker-proof,” but because it provides a realistic understanding of risk.