The Funny Thing About Blind Spots

When I was in college, I got a job one summer at a comedy club. It wasn't as glamorous as it sounds. I didn't get to meet any comedians. My job was essentially a telemarketer. I would call people who had attended previous shows and tell them they had won free tickets to see the next show (with a two drink minimum, of course). Everybody won free tickets because only a handful of people would actually take them up on the offer. 

I did get some free drinks. I did see some shows. But I worked during the day, so the shows that I saw were actually comedy defensive driving. (This is a thing in Texas: a comedian does your defensive driving course so you don’t mind the 6 hours of being reminded how bad a driver you are.) My lunch break was always at the same time of day, so I saw the same part of the defensive driving class maybe 20 or 30 times. 

The part of the course I saw was about blind spots. Most people who've gone through Driver’s Ed know that there's an area behind a car you can’t see in any of your mirrors. Driver’s Ed courses teach students that you actually have to turn around and look to check your blind spot. Despite this, people forget to check their blind spot often enough that some cars now have lights in their mirrors that illuminate when the car senses another car in that spot.  

The part of the comedy defensive driving routine that stuck with me the most is that even the good drivers that remember to check their own blind spot don't necessarily realize when they're in someone else's blind spot. To this day, I feel physically uncomfortable when I notice that I'm in someone else's blind spot because it puts me at risk. I'll speed up or slow down to get out of this position. 

So when it comes to security, what blind spots do you have? How can you avoid them? 

I recently went through the process of evaluating two different companies for their Security Operations Center (SOC) services. Each one had some great staff members who had years of experience. Each one had lots of great technology. Before I went through the process, I wasn’t sure how I would decide: would I just go with the cheapest solution, so long as it met my minimum requirements? Would I go with the one that sent the most alerts? Or the one that found the most interesting alerts?

As it turns out, the process of evaluating two different vendors provided a way to find each of their blind spots. Each one found alerts that the other had missed. Now, it’s not necessarily feasible or even responsible to have two different SOCs. But that’s how blind spots work: until you look you won’t know. We use this same process to evaluate lots of different technologies, from intrusion prevention to antivirus. Scientists use this same method to eliminate bias from their research.

Blind spots are part of nature. Our eyes are even built with them. 

Try this experiment. Close your left eye. Look directly at someone's face about 10 feet away. Slowly move your eye to the left (towards your nose) about 15 degrees. At the right distance, the person's face you were admiring will disappear from your vision. This is due to the natural blind spot in your eye that falls in the small circle where your optic nerve attaches to the retina. At that spot, you have no visual receptors, creating a small blind spot in each eye. The effect is subtle, you may not notice unless you’re looking for it because your eye naturally fills in the gap with the colors and textures in the surrounding area.

Your brain compensates for these blind spots by stitching together the images from each eye to fill in the two blind spots and create one complete image. The perspective of one eye alone is incomplete. You need the added perspective of the other eye to see the whole picture.  

There are two types of blind spots: those where you just don’t notice something in your field of vision - and those where you just aren’t looking because you don’t know to look there. 

Your mind has evolved to fill in the blind spot with the textures or colors in what is around the blind spot because it assumes that there is very little chance that there is something important there. But we don’t usually call the world behind us a blind spot and our minds don’t fill in any shapes behind us because there could be a hungry lion or angry caveman ready to pounce. 

How do we find our blind spots when it comes to security? It seems like everything in the cyber world is filled in like the textures in the first example rather than the known unknown territory behind us like in the second. 

Daniel Kahneman, the Nobel prize winning psychologist who created both the field of behavioral economics and the theory of cognitive bias writes that essentially brains are lazy. Our minds tend towards what he calls the least amount of thinking required for any task. This results in what he calls the phenomena of “what you see is all there is”. Because our brains have been designed to minimize cognitive load, they consequently don’t look for a more complete picture before making a decision because we believe that we are already seeing the whole picture.

I was telling my story about the comedy defensive driving to my wife when she got this weird look on her face. It turns out that she had never heard of such a thing. Perhaps this is just a Texas thing, but it surprised me to learn that not everyone knew that there could be a fun connotation with something as dreaded as having to do defensive driving. She may actually be interested in taking a defensive driving class now just for fun (or maybe she was just humoring me).

From a security perspective, what would make us want to look for things that might be in our blind spots? After all, for many businesses, there may be a disincentive for finding out. If you discover something, you might have to fix it and perhaps the resources aren’t there to do so. Worse, if you discover something, someone might get fired because they weren’t doing their job. The answer, I think, is to make security fun. Instead of using fear or compliance to direct people, we should be using humor or laughter to make things feel safe. My next security awareness class might have to be taught at a comedy club.

George Finney, is the author of No More Magic Wands: Transformative Cybersecurity Change for Everyone and has worked in Cybersecurity for over 15 years. He is currently the Chief Security Officer for Southern Methodist University where he has also taught on the topic of Information Assurance. Mr. Finney is an attorney and is a Certified Information Security Manager as well as a Certified Information Security Systems Professional and is a regular speaker on Cybersecurity.