Cybersecurity Professionals — “In the Arena”

I was inspired by a recent LinkedIn post by my colleague, Ed Amoroso, from TagCyber, who spoke about the personal attacks and blame being levied on cybersecurity experts in recent days. Unfortunately, this is predictable behavior that we have seen in the past (especially after a major cyber incident) and will likely continue to see in the future unless certain philosophies and attitudes change.

To a Cyber Hammer, Everything Looks Like a Cyber Nail

Cybersecurity often is equated with purely “technology-related” issues as we are focused on defending our systems and networks by employing an arsenal of safeguards to do so. But, while technology is important, leadership also plays a critical role in the development of successful cybersecurity programs for enterprises of all sizes in the public and private sectors. Leaders take responsibility and are accountable for things that happen or fail to happen in their organizations. The treatment or “response” to cybersecurity risk is a business decision as illustrated in the graphic below from NIST Special Publication 800-37. The problems that we have today exist because the right people are often not taking ownership of the right problems.

Ships, Football Teams, and CISOs

In the Navy, when a ship runs a ground, the captain is usually held responsible, even if the root cause of the mishap can be traced back to one of the crew. And, most likely, the captain will be relieved of command. Accountability. In football, if a team has a losing season, typically, the first action by the team owner is to fire the head coach, not trade the quarterback or get rid of the offensive line. Accountability. But in the cybersecurity business, this philosophy is often turned on its head. After a major cyber breach or incident occurs in an organization, the blame is often placed on the cybersecurity professionals including the Chief Information Security Officers (CISOs). Senior leaders ask these cybersecurity professionals to do some of the most difficult and challenging work in any organization—and sometimes with significant staff shortages, limited resources, less than desired management support, and flawed or non-existent protection strategies. They are put on the front lines and given “moral support” until the “big one” happens. Then, as the stuff hits the fan, they are blamed for the adverse consequences, as if they are isolated entities in the organization instead of key players on the team. Does this happen all of the time? No. But it happens often enough to be noticeable.

Enter TR, Stage Right

So, the first thing I thought of when I read Ed’s article was a very famous speech by Teddy Roosevelt—as it so aptly applies to today’s cyberdefenders.

“It is not the critic who counts; not the man who points out how the strong man stumbles, or where the doer of deeds could have done them better. The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood; who strives valiantly; who errs, who comes short again and again, because there is no effort without error and shortcoming; but who does actually strive to do the deeds; who knows great enthusiasms, the great devotions; who spends himself in a worthy cause; who at the best knows in the end the triumph of high achievement, and who at the worst, if he fails, at least fails while daring greatly, so that his place shall never be with those cold and timid souls who neither know victory nor defeat.”

Our cyberdefenders are on duty 24/7. In the trenches. Nights, weekends, and holidays. They are deploying the safeguards, scanning and monitoring the systems and networks, patching applications, and mitigating vulnerabilities. And, unlike baseball, where getting a base hit one out of every three at bats is considered All-Star material, cyberdefenders have to be right every time. That’s impossible, but TR would be proud of them.

Ground Hog Day—Again?

So, what can we do to fix this problem? I recommend watching the movie “Groundhog Day” and then doing these four things:

• First, give the members of your cybersecurity team your heartfelt thanks and gratitude for their tireless efforts. Seek to understand (up close and personal) their stress and the myriad of challenges they face every day.
• Second, give your cyberdefenders a strategy that can help them be successful—including a full defensive unit as described in several of my recent articles [1][2][3].
• Third, put the responsibility and accountability for cybersecurity in your organization at the top of the food chain, where it belongs—just like football coaches and ships’ captains. It should start with the Board of Directors and the CEO.
• Fourth, if you’re outside the organization looking in, don’t assign blame unless you’re on the field of play and in that game (i.e., “in the arena”) because you really don’t have the context to judge.  

And, one final thought. A new definition to ponder.

Cyber-insanity: Implementing the same old protection strategies over and over again and expecting different results.

Let’s try to avoid “cyber-insanity” in 2021.

Happy New Year everyone!!

[1] R. Ross, “The Mysterious Disappearance of Systems Security Engineering”

[2] R. Ross, “The Adversaries Live in the Cracks”

[3] R. Ross, “Rethinking Our View of System Security”

A special note of thanks to Mark Winstead, Keyaan Williams, Victoria Pillitteri, Greg Touhill, Tony Cole, and Malcolm Harkins, long-time cybersecurity and SSE colleagues, who graciously reviewed and provided sage advice for this article.