In Lewis Carroll’s timeless novel, Through the Looking Glass, Alice begins her adventure by stepping through a mirror into the fantastic world beyond it, a world of backwards poetry, made-up rules, outlandish characters, and nonsense masquerading as common sense (and vice versa). She does her best to navigate her way through her various encounters and across a chessboard that holds one surprise after another, no rules to speak of, with everything and everyone not quite behaving as they should. It’s all very confusing.
Just like a Chief Information Security Officer must feel looking out into the world of cybersecurity.
When they take a walk through the mirror of cybersecurity they, too, encounter a fantastic world — omniscient super hackers who seem to be able to crack any password or encrypted file; viruses and malware that bloom like magic mushrooms in the night, nightmare scenarios that come true in which billions of precious pieces of data are exposed, and so-called security experts spouting remedies that must sound a little like Jabberwocky. And, like Alice when she’s on the other side of her looking glass, these CISOs know things aren’t quite right, but the velocity of events and their unreality seem to pull them headlong through the strangeness at a speed that would make the Red Queen envious.
But Alice, for all her tender years, was pretty smart about how to deal with her crazy-making surroundings. She used her imagination to help keep her wits about her. And while she accepted the oddities she came across at face value, she never really forgot where she was.
Today’s CISOs might do well to emulate her spirited and determined courage. And remember where they are.
The realm of cybersecurity isn’t a magical, mysterious netherworld where people have super powers. In other words, as much as the engineers among us would be thrilled with the idea, it’s not “Tron.” It’s a bunch of computers that are connected together. They operate on 0’s and 1’s. They do what we tell them to do and when we unplug them, they don’t do anything at all. When something happens in this world, we know it because it flips a bunch of those 0’s and 1’s and that transaction is always identifiable. Always.
Furthermore, the vast majority of bad actors aren’t James Bond-grade villains. They’re more like Tweedledee and Tweedledum. Sure, they may be well-trained, government-sponsored professionals, but they’re not any smarter than our well-trained, government-sponsored professionals. I know this because I used to be one. We were great and made lots of mistakes.
There are all kinds of attacks all the time — lots and lots of them — and the overwhelming majority are not successful. When they are successful, almost invariably, it’s because someone in the organization, call them Patient Zero, enabled it. We have met the enemy and he or she is us. Cybersecurity is like a mirror because it’s a reflection of what we’re doing, just as much as it is a depiction of what’s being done to us.
Take socially-engineered phishing, for instance. It’s by far the most effective approach. Of course, we’ve come a long way from the well-educated, but unfortunate political operative in Nigeria who just needs your bank account and routing numbers so he can wire you the $2.5 million he needs to smuggle out of the country in order to get his mom out of jail and his Ferrari out of hock.
But people do it. Every day. Thousands and thousands of people are lured. And not just those who are a little technologically impaired and don’t really understand how this stuff works. People who should know better do it, too. That’s how these guys get in. With help.
And when they do, that’s when the security companies flock in. They’ll tell you how it happened in jargon you can barely understand and they’ll begin to clean up the problem using some very esoteric technology. They’ll say it was a very sophisticated attack that couldn’t have been prevented. (Which is more nonsense from the other side of the mirror.) And then they’ll install more firewalls and authentication and it will take everyone a lot longer to log in and get online so someone else can make the same mistake on a different, but just as remarkably authentic-looking phishing attack.
The CISO knows he or she can do a lot better. They must. Because their careers, and the well-being of their organizations online depends on it. And there’s no reason why they can’t. Right now, there are hundreds of things that we do every day that are a lot harder than cyber security. So it’s puzzling why we’re so willing to readily accept defeat in this one area. Yes, it’s a strange world. But it’s not that strange.
Just go ask Alice.