I was listening to an interview with a former chairman of a national bank. He explained how the future ‘FinTech’ businesses will have to operate. He mentioned the term brutal self-reflection.
I often remember that and reflect on the meaning.
I applied for a CISO role with a FinTech company. The CEO of a company asked me an interesting question. “What percentage of the available resources would you dedicate to persecuting and capturing perpetrators if a hack occurred?”
Less than 50 percent
I paused for a few seconds and replied: “Less than 50 percent.” My response surprised him. “Persecuting and catching criminal offenders is not your core business or range of expertise. Therefore, I believe you should not put too much focus on that,” I explained.
Of course, I would want to help and cooperate with authorities and specialized institutions. Particularly if our customers were severely damaged. But I do not wish to entirely focus on bringing the case to a satisfying epilogue.
I firmly believe we should focus our efforts and resources internally. Analyze in detail — the environment, our mistakes, and loose ends. After all, that will help us prevent similar events in the future. And show a certain maturity level to our customers. Not persecuting perpetrators.
Admitting their own mistakes and improving them is a sign of growth — an excellent start to provide better quality and security of products and services. There is always a lot of faults and flaws to be fixed. A perpetrator only needs to find and exploit one (or a few) of them.
Chasing and persecuting hackers will not improve quality or security. Not without a proper amount of brutal self-reflection. It does not make it more difficult — for new or returning ones — to attack. Ultimately, it might scare off a few. But the environment will not improve. All the faults, flaws, and loose ends will remain open for new exploits.
This sounds kind of familiar, like with bacteria — systemic cleaners in Nature. We need to focus on finding and solving root causes. Eliminating symptoms or consequences never solved a problem.
Hackers and Coyotes
‘The Biggest Little Farm’ movie remarkably portrayed Nature and the Ecosystem. It also revealed coyotes’ fundamental role in it — a vivid engaging analogy to parallel the business ecosystem.
Thinking about that led me to realize the meaning of brutal self-reflection in business. Hackers (or coyotes) are not the culprit. They are merely a systemic mechanism (a key component in a system, actually). The one with the task to identify obstacles and mistakes. The one that forces the system to improve and evolve.
We learn the most from our mistakes. And hackers are ‘the system’s mechanism’ that detects those faults and flaws. What we identify are the symptoms and their effects. Symptoms are never the cause, but they do cause pain, especially to the ego.
If you can keep your ego at bay, you start to seize and embrace the need for self-reflection. And maybe learn enough to see the point in getting brutal at it. Hackers are the warning signs reminding you to re-evaluate and re-inspect your systems. They are the symptoms of faults and flaws you have managed to neglect.
You can then identify and fix all the causes you ignored. And improve the quality of your product(s) or service(s). That will make it less likely for symptoms to (re)appear. And help in fulfilling your responsibility — to safeguard your customers.
Release first, Fix later
‘Release first, Fix later’ is a widely used business approach these days — a textbook example of how to provide bountiful conditions for ‘coyotes’ in the business ecosystem.
It is similar to snakes and mice in Nature — balancing each other’s population.
When mice live in abundance, they grow in numbers. In large numbers, they start to prioritize ‘internal’ competition. As such, they become reckless of ‘external’ dangers and easy prey for snakes.
Which leads to bountiful conditions for snakes. Snakes start to grow in numbers and decimate the population of mice. That, in turn, makes the remaining mice more cautious.
Decimated and cautious, mice as food become a scarce resource for snakes. That leads to a decrease in the population of snakes. This is how Nature balances snakes and mice, as both play an essential part in the Ecosystem.
When a species ceases to play an essential role in the system (or another one evolves to perform that role better), it dies out.
Nature is an excellent architect and teacher. We can learn a valuable lesson from that analogy above. When there are too many businesses (related, in the same field), they typically start to shift their focus from quality to competition.
Leaders become hasty and reckless. They devote less attention to quality and security. And make more mistakes, leaving more ‘loose ends’.
Less Quality = Less Security
Less quality means less security. Hackers do not pose the only threat. Low quality and too many ‘loose ends’ can turn your customers into a substantial threat.
To perform a vital role for the system poorly or detrimentally translates into redundant, useless, and expendable. Only the efficient and useful ones get rewarded (or tolerated).
Ecosystem(s) can not evolve (or exist, in the long run) without coyotes and hackers. If you eliminate them, others will come to take their place and try to balance the system. Every system strives towards a functional balance. Life is in a constant seeking of balance. Not seeking or achieving static balance means atrophy or death.
You should not put your direct attention to threats such as hackers. Instead, lower their ideal conditions by focusing on your products and services. Self-reflect, improve, and evolve. You will increase your overall efficiency and value to the whole system.
You should consider focusing more on self-reflecting, improving, and evolving. You will increase your overall efficiency and usefulness, also for the system.
I do not advocate criminal behavior. If you find my beliefs irrational, give that movie a try. It might open some new perspectives for you.
Hackers are here to stay, so get used to them. Focus on your quality and awareness instead. To eliminate all competition, or to adapt and evolve? What do you think is best — for all?
It is not the strongest or the smartest species that survive. But the most adaptable to the environment. This means we need to seek balance. Not to adapt the surroundings to our (limited) capabilities, but adapt ourselves and evolve.
The prevailing ‘Release first, Fix later’ mantra amplifies ideal conditions for hackers. If we adopt that approach, we can only expect one thing — an even faster-growing trend of hackers and their attacks.
This forecast is pessimistic at first sight. And security professionals still have to do their jobs. But you have to incorporate (brutal) self-reflection, face mirrors, and keep your own ego at bay. That way, you can evaluate and improve both — the quality and security of your environment.
Where to start
Quality of product(s) or service(s) is a prerequisite for security. You should invest a substantial amount of your thought and resources into it: Research ‘best practices’ and security frameworks. Implementing CIS, ISO, or NIST will help you build stable quality and security (systems).
“99% of the market is short term.” — Gary Vaynerchuk
Stop evaluating quality and security with financial attributes and in the short term.
Remember — it is easy to know something. But the point is to understand. Even when disagreeing with the perspective of another person, we can take something valuable out of it.
Thank you for your time and any thoughts you might want to share. If you clap, it matters to you. Thus, more people get to see and read this. It also lets me know what kind of articles to write.