The “F” word
The cyber security industry must evolve its attitude and cultural approach to failure.
Take a look at this track record, and ask yourself… would you hire this person?
1832: Defeated for state legislature
1833: Failed in business
1835: Sweetheart died
1836: Had nervous breakdown
1838: Defeated for Speaker
1843: Defeated for nomination for Congress
1848: Lost re-nomination
1849: Rejected for land officer
1854: Defeated for U.S. Senate
1856 Defeated for nomination for Vice President
1858 Again defeated for U.S. Senate
But what if we told you this person was “Honest Abe”, the 16th President of the United States. A man who not only abolished slavery but is consistently rated as one of the top three presidents by historians.
Given the importance of his achievements, it’s fair to say he’d be a valuable candidate for any organization. However, is this despite his failures, or because of them?
Afraid to fail, afraid to learn?
Our latest High Alert research — a survey of more than 3,000 cyber security decision makers in the UK, France and Germany — suggests that failure is still a dirty word for many cyber professionals.
Despite many agreeing that a breach is inevitable, 54 percent say they explicitly do not discuss breaches or attacks with peers in the industry. Why? The answer may well lie in the fact that 36 percent of cyber security professionals are worried sharing information about incidents that took place ‘on their watch’ — with peers, colleagues or prospective employers — could adversely impact their career.
Such fears are only human, but as a result 50 percent of security decision makers say there’s a distinct lack of cross industry information sharing about managing incidents.
“54 percent say they explicitly do not discuss breaches or attacks with peers in the industry”
Black box thinking
British journalist and author Matthew Syed would argue it’s how you manage failure that makes it vital for improving performance. In his book, Black Box Thinking, he argues success can only happen when we confront our mistakes. He cites the aviation industry as an exemplar — because it has created an astonishingly good safety record. It has achieved this through a combination of culture and technology that enables airlines to record, share and learn from mistakes rather than conceal them.
Despite personal fears about reputation or career prospects, half of respondents (51 percent) said failure is a critically important part of the process for improving security. Which begs the question — why is information sharing so poor?
Turning failure into success
Here’s what Dr Steve Purser, Head of Core Operations, ENISA, and a former financial sector CISO, has to say on the issue:
“Security leaders, and the industry more broadly, need a framework for structured information sharing — whether for ongoing best practice, or as a process for learning from a breach.
“Overall, there is a distinct lack of strategic information. Simply because this is the information that takes a lot of effort and analysis to produce — to distill into clear trends to inform decision making. Operational information sharing is reasonably good. This is the knowledge of techniques, processes and best practices, which can be used to systematically respond to security indicators. But across the industry there is an absolutely enormous amount of tactical information — to the point where, without the support of well-automated filters and analytics, security teams are overloaded by it.”
This kind of nuanced understanding is essential here. Clearly, no CEO should want a CISO who’s had breach after breach everywhere they’ve gone, just as no cyber security team should go around sharing sensitive information that could weaken their organization’s defenses.
Rather, the point is that the cyber security sector needs to look beyond the tactical, into the harder questions of strategic information sharing: the kind of information that is only really found in years of experience.
How a breach can make you better
The findings of High Alert suggest that it may be in businesses’ best interests to hire CISOs who have experienced a security incident, because of the way a breach changes how cyber security professionals think and feel.
The findings reveal significant differences between the mindset of cyber security professionals that have and have not experienced an avoidable breach. If you’ve been through the fire of a major incident, and come out the other side, you are:
· 24 percent less likely to report feeling ‘burnt out’
· 14 percent less likely to feel ‘set up for failure’
· 14 percent less likely to think about quitting their job
· 14 percent less likely to want to leave the industry
· 20 percent less likely to feel indifference toward their work
· 9 percent less likely to fear dismissal for a breach ‘on their watch’
· 15 percent less likely to feel personally responsible for an incident that could have been avoided
The ‘experienced’ group are less worried about every stress factor we surveyed, including increasing regulation, the talent gap and IT complexity. They are also 14 percent more likely to share their experiences with their peers.
“It might sound counter intuitive at first,” comments Darren Thomson, CTO, Symantec EMEA, “but if I offered you two CISO candidates with an identical skill set, but one of them finds dealing with regulation less stressful, is less likely to suffer from burnout, and more willing to share the lessons they’ve learned during their career — who are you going to pick?”
The time has come to see having a breach on your résumé as a strength, rather than a weakness. Yes, it’s an incredible learning experience, but also — the positive impact on your character is just as valuable. Experiencing a major incident can make you battle hardened and better at dealing with pressure.
As Lincoln said: “The probability that we may fail in the struggle ought not to deter us from the support of a cause we believe to be just.” It’s hard to think of another quote that so accurately summarizes the challenge, and required stoicism, of the modern-day CISO.
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.
Like this story? Recommend it by hitting the heart button so others on Medium see it and follow Threat Intel on Medium for more great content.
