Cyber Security Is About the Mindset

Cyber security is about the mindset. Going beyond the tools the cyber security mindset needs to include: curiosity, urgency and consistency. These are the elements which will help make your cyber security program its most effective.

1. Curiosity:

Curiosity is the ability and drive to look for the unseen. Principles can be elicited from elements of seemingly unrelated fields. 

I just successfully completed a course on anti-terrorism, "Level 1 Anti-Terrorism Awareness Training". Many of the principles related to good anti-terrorism efforts also apply to good cyber security. My goal was to broaden my thinking when it comes to cyber security. 

Here is one example. It is best to crouch on the floor in an active shooter situation. Ricocheting bullets tend to hug the floor so lying down makes you more vulnerable than crouching does after you get behind an object. Is your response during the cyber security attack the most effective it could be? Is that response giving you the smallest damageable surface? 

I will give a couple other examples. Hostage taking. It is best to cooperate with the rescuers. Is your response to an attack (such as ransomware) impeding the rescue efforts? Your information is "hostage". Are you allowing the rescuer to do what they do best or are you trying to tell them how to do their job, thus impeding their efforts? 

Surveillance and predictability, are you doing things in a way where attackers can study and predict your patterns and responses? The most damaging attacks are the "low and slow" advanced persistent threats. In these cases the attacker has spent a long time studying your patterns so they can attack you yet not be discovered. Predictability results in blind spots and blind spots are vulnerabilities. Be unpredictable to the attacker. 

Use other industries to gain insights that could benefit your cyber security function. Be curious. 

2. Urgency: 

We save people's lives. Please see my article linking cyber attacks to human trafficking: https://www.dhirubhai.net/pulse/cyber-security-holistic-perspective-saving-lives-human-jensen/.

I know that their are unseen victims of cyber attacks. The one that touches me the most is human trafficking. We make it harder for human traffickers to sell information and thus support their trade. 

Some attackers also create profiles on human targets. Profiles of people in positions of knowledge, power, or influence. Some of the information is garnered from seeming inane sites. It can also be garnered from hacked organizations. One of the more public examples of this is the e-mail crafted for and sent to John Podesta. While there was publicly available information on Mr Podesta, it is likely that they hacked some other sites to gain information on him before crafting their phishing e-mail. Mr Podesta did the right thing in asking his information technology support staff if he could give his password to the organization sending him the e-mail. The support person's advice of "OK" for Mr Podesta to give out his password was inexcusable. What a mess this created for the organization! 

3. Consistency 

A cyber security program is only as good as the consistency with which it is applied. This should apply from top to bottom and side to side. Exceptions can be made when written and published policy allows for it as an "Exception to Policy". Just as in counter terrorism security cyber security becomes more vulnerable when there is complacency or ethical lapses. Please see my article on ethics and cyber security: https://www.dhirubhai.net/pulse/over-arching-importance-ethics-cyber-security-daniel-jensen/. 

I am not saying that complacent cyber security professionals are unethical. I am saying that they allow for more blind spots and vulnerabilities. One such threat would be from the inside. 

I hope that this article leads to increased curiosity, urgency and consistency.