Cybersecurity, heal thyself

A very recent failure on my part, for one of my own systems, reminded me of a couple of very old proverbs (dictums). “physician, heal thyself” and “the cobbler’s children have no shoes” [1][2]. In addition, I thought that this was not only a personal reminder for my own Information Technology (IT) related resources, but also useful advice for any cybersecurity organization. There are certainly deeper interpretations of the above proverbs, but the straightforward concept that I’m focusing on here is the notion that one spends so much time doing something for others, that they neglect that which is closest to them. For example, physicians working themselves ragged, or burning out, as they try harder and harder to treat/heal everyone. The shoe maker is so busy making or repairing shoes for customers that there is not time to properly shod their own family. I’m glad to report that my own personal IT issue was not related to a cybersecurity compromise, but the simple issue of ensuring an up-to-date backup. When I migrated to a new workstation, I was so busy “getting things done” for various cybersecurity initiatives, that I did not take sufficient time to establish all the supporting services I needed for the new platform. It is fortunate that in today’s enterprise a variety of collaborative tools are utilized, where most key data is not stored on local workstations. However, it still hurt to lose a set of local files that will be difficult or impossible to replace. Ironically, we even had recently created some enterprise communication content, to reminder our community about the necessity to have active and up-to-date, backup services for their IT environments.

I think it is fair to say that the majority of IT organizations in the world, do not have sufficient resources to handle everything on their plates. There is always more that either needs to be done, or is desired to be done, in order to do the best job possible in the IT space. Perfection is not possible, but constantly driving to achieve perfection, is possible and very worthwhile. Tradeoffs are a constant in the IT world and the cybersecurity area is certainly no different. In most cases, such tradeoffs are identified and reviewed by management and their teams, with informed decisions on the actions taken, or not taken. However, in some cases the tradeoffs being made are implicit.?

One of these implicit tradeoffs, is when an IT group spends so much time working to ensure that others are doing everything that is needed that they don’t leave sufficient time to properly take care of their own IT resources. I think that oversight organizations, such as a cybersecurity group, can be particularly susceptible to this condition. Some of the primary functions of such a group, is to educate, guide, assist, and review the implementation and operation of their organization's IT environments. The IT security team is constantly working to improve the overall cybersecurity posture of their enterprise. As anyone in this field knows, such work is never complete. There are always gaps to address and each day brings new vulnerabilities and threats that need to be handled. With cyber-vision so focused on the IT environments managed by others, it is so easy to to have blinders on for your own IT.??

If you were thinking that this article might provide some magic insight or even magic bullets, unfortunately that is not the case this time, much as I would like to. When it comes to this aspect of IT and cybersecurity, taking care of what is needed primarily comes down to awareness and diligence. So, fire up your favorite mechanisms for keeping track of planned and unplanned “todos” for the personal IT resources you utilize in your work and for those resources managed and, or utilized by your team. And then, here comes the toughest part, don’t let these "todos" slide. Resist the urge to ignore notifications or let deadlines slip. Carve out time each week, month, or quarter, to make sure that you and your team are able to cover what is needed for your own IT. The good news is that there are some additional benefits that will come along with maintaining a good cybersecurity posture for your own IT resources.?

• Managers and team leaders are setting an example for their own team
• The cybersecurity team sets an example for the entire enterprise organization
• Direct experience with the notifications, tools, services, and best practices, utilized by the enterprise, provides valuable experience that can drive iterative improvements. This also facilitates greater understanding when responding to problems or enhancement requests, which are submitted by the community.
• Greater awareness and understanding of the overall impact of cybersecurity related activities and the level of time, effort, and, or people that are required to do them properly.
• Making it less likely that the cybersecurity professional or your cybersecurity team will be hacked or fail an audit. This at a minimum is embarrassing, but could also lead to more substantive consequences such as dismissal.

Information Technology, in many respects is like a living organism and there are many parallels drawn from animals and humans. In fact, we often use similar terminology, like "bugs", "viruses", and "worms". In the realm of personal health and wellbeing, if you don’t take care of yourself properly, at some point you will not be well enough to take care of others [3][4]. In essence you need to be selfish at times, in order to ultimately be able to do the most good for all. Likewise, in the world of cybersecurity it is also important that you and your team take good care of your own IT environments, for not just your own benefit, but the benefit of the entire organization. I’ll throw in just one more popular dictum, this one captured in a quote from Ben Franklin, “an ounce of prevention is worth a pound of cure” [5].?Let's make sure everyone in "the family" has a good pair of shoes... for protection, for performance, and even, why not, some style too!

Boring Disclaimer: These thoughts are my own and I am not posting as a representative of any company. Your mileage may vary. Objects in mirrors and binoculars may be scarier than they appear (or they might not). If this had been an actual emergency, you and I would likely be doing something more important.

References:

[1] https://thephysicianphilosopher.com/physician-heal-thyself/

[2] https://english.stackexchange.com/questions/159004/the-cobblers-children-have-no-shoes

[3] https://hbr.org/2020/04/to-take-care-of-others-start-by-taking-care-of-yourself

[4] https://hbr.org/2020/02/how-to-overcome-your-obsession-with-helping-others?ab=at_art_art_1x4_s01

[5] https://www.goodreads.com/quotes/247269-an-ounce-of-prevention-is-worth-a-pound-of-cure

[6] Circle of shoes image attributed to: Photo 88050019 ? Economica20 | Dreamstime.com