Americas

  • United States

Asia

Oceania

mitchellparker
Contributor

Cybersecurity Awareness Month: Increasing our self-awareness so we can improve security

Opinion
Oct 15, 201915 mins
IT LeadershipSecurityTechnology Industry

With the increased prominence of cybersecurity in organizations due to many crippling cyberattacks, the emphasis is now on continual engagement, as it should be. It’s also important to address the tunnel vision that has plagued the field, and how we need to combat it before we can make it to the next level.

October has been National Cybersecurity Awareness Month since 2004. According to staysafeonline.org, this initiative was started by the National Cybersecurity Alliance and the US Department of Homeland Security to help all Americans stay safe and secure when online. This month is usually marked with a significant uptick in cybersecurity outreach and training. It’s also the one month of the year when you can get a significant amount of cybersecurity swag such as webcam covers, mugs, and pens. This event has an outward focus to raise awareness of security globally,

Many other events have come into existence along with this. For example, there are numerous electronics recycling events that now occur in October where people can securely dispose of their old computers. Some municipalities have extended this to include safe disposal of old prescription medications, paints, and other hazardous materials.

Recent events in the greater technology community, specifically the resignation of Richard Stallman from both MIT and the Free Software Foundation, have become character foils that show us that while we have come a long way, we still have a long way ahead of us to improve.

Instead of focusing this month on how we can improve our outreach to customers, I think it’s more pertinent that we use this month to focus on ourselves and how we can increase our self-awareness to provide better security and escape the issue of tunnel vision. With the criticality that many organizations face in the recent explosion of targeted ransomware, IoT attacks, and data breaches, people need Information Security more now than ever. We need to combat tunnel vision and its associated issues to help turn around the perception of Information Security and increase its effectiveness.

What is tunnel vision?

Tunnel vision is a naturally occurring behavior. According to the website Situational Awareness Matters, it’s a tendency to focus on a single goal or point of view. The more important a goal is, or the more threatening a stimulus is perceived to be, people are more likely to focus attention on it. This has been used as a very effective manipulation tool to get people to focus on one area without taking others into consideration. It short-circuits critical thinking.

Scientists are often very focused and disciplined by nature. They work on important and lofty goals. This was lampooned on the TV series “The Big Bang Theory,” featuring a brilliant yet idiosyncratic scientist in Dr. Sheldon Cooper who was so focused on logic, his point of view, and his goals that he often offended or shut out others with his tunnel vision. While he finally gave credit to others in the final episode after a particularly bad incident, this behavior was used over 12 seasons for comedic effect.

In the real world, there’s no laugh track, and we don’t come to resolutions in 22 minutes. Tunnel vision can cause people to lose focus of what is important and happening around them. It can cause them to not understand the consequences of their actions. This has real-world effects, and people will get hurt and offended. Unlike the comments Dr. Cooper made that hurt others around him, those effects last a lot longer than an episode or two and don’t disappear to increase viewership.

Tunnel vision means numerous things. First, it means that we don’t see what the effects of our actions are and that we focus too much on the minutiae and not enough on customers. We also cut out as unimportant anything else that does not involve our immediate area of control. We treat our customers how we think they should be treated instead of how they need to be.

It also means that we become blind over time to bad behavior and its effects, because we are so focused on the goals at hand that we neglect to see how our actions affect our stakeholders. We also see these goals as having more intrinsic worth than those of others, and don’t give value or consideration to them. This leads to the beginnings of supremacy, and the de-valuation of others. This puts us at the beginning of a downhill slope where we find other reasons to attack others and devalue everything they say because they fit certain labels, without being objective or considerate in how we treat others. Social Media and the echo chambers it facilitates have amplified this significantly.

How did we get there?

Tunnel vision shuts out or minimizes anything but the perceived objectives. It’s about having a perceived mission that overtakes everything else and believing in it so strongly that you rationalize bad behavior as either necessary or a necessary consequence. It causes the rationalization that your behavior and actions are worth more than others’, and that the actions you take, even if they offend or hurt others, are worthy and necessary. This causes people to ignore obvious items and not think about consequences from their actions.

A prime example of this was the MIT administration ignoring complaints about Richard Stallman’s behavior for years from numerous women because he brought prestige to the campus through his software development work and evangelizing of Free Software. The MIT Media Lab administration willingly overlooked the donations from a convicted sex offender because they funded projects and initiatives that increased their prestige. Due to the tunnel vision of the late Marvin Minsky and Joichi Ito, MIT has a serious credibility crisis they need to address.

How do we see this in the workplace?

I’ve been in IT and infosec for over 20 years. There are several root causes of security issues. Complacency/indifference is the biggest one I have seen, followed by self-centeredness, making excuses or rationalizing, resistance to change, defensiveness (and its associated attacks), competitiveness, celebrity worship, and integrity/values/truth alignment. I am by no means saying I am perfect and have never been guilty of any of these or am trying to preach. I’m trying to help others not repeat the mistakes and lack of introspection that put many of us and the profession in a bad place. The goal here is to help us out of tunnel vision and toward better relationships that last longer than swag by using mirroring and modeling. We want to get to a point where we avoid viewing ourselves as superior to others and justifying bad behavior. Nobody is entitled to bad behavior or to be able to force others to do what they want.

Since there is greater visibility on security, we must hold ourselves to higher standards. The way we carry ourselves is now visible across the organization. Technology is no longer data processing, and the team isn’t hidden in the data center or computer rooms anymore. Due to multiple events involving ransomware and other major events, we are now front and center, and we have growing pains. We also can’t be crying wolf or pretending to be Chicken Little all the time anymore.

I realize that as I sit here writing these words that complacency, indifference, and tunnel vision have been the rules of the game, and that for better or worse that many have perpetuated the need to keep things as they are. More importantly, I’ve seen an industry that has a lot of people who want to keep others out because it makes them do something different and/or interrupts their little world. Many of them view themselves as superior to those they are supposed to serve. It only takes a few of them to ruin an organization.

This is nothing against the many hardworking people who truly fight to improve their situation and work very hard to earn the continued trust of their customers. We salute and encourage them and celebrate their existence and willingness to advance the profession. We want to add to their ranks because we will never have enough of them. The many leaders that teach and live Servant Leadership need to be multiplied tenfold.

We have too many people who want to push a button, look like they’ve solved the world’s problems, and have an easy time doing so. They don’t want others involved because they bring a different point of view that may be different and involves doing more work to address problems. This causes them to focus their attention on those who bring the different point of view as opposed to the problems and issues they may bring up that require less work and make them look better, while keeping their sense of superiority and condescension. I’ve seen nothing but insults from the self-appointed tech gods who keep others out because it messes up their business model to have anyone that asks questions. I’ve had a fellow team member accosted by a security consultant who yelled at him and said “It seems every place you work I don’t get any business and you’re costing me money!”.

I’ve been on the receiving end of negative feedback (and much worse) from customers who have been fed up with previous attempts at security. I have had to deal with the negative effects of multiple people believing they were innately superior causing major issues across multiple organizations because they just didn’t see others as equals or give them consideration. If there has been one constant in my career, it has been addressing the fallout from people and companies who do not listen to or give any kind of weight to their customers and stakeholders. The first company I worked for full-time as something other than tech support received many large projects due to customers who were looking for better providers who could meet their needs. My career has been built around rectifying these situations.

I’ve also seen security “professionals” purposely steer away from teaching others about security, even the basics that the customers ask for, out of fear that people will learn more and not need to depend on them. I’ve also seen indifference to actual issues being discovered many times, along with outright hostility and passive-aggressive threats to derail initiatives. I’ve also seen indifference to bad behavior because it was perpetuated by someone higher up, and rationalization that the behavior was warranted.

I’ve seen horrible behavior continually excused and rationalized because it was perceived that the perpetrators either saved significant amounts of money, kept the organization running, or knew about security. Rather than help these people learn how to operate in a professional environment, provide leadership and mentoring, or counsel them out because of their bad actions, management chose the path of ease and let toxicity reign at the expense of the rest of the organization. I have watched this destroy teams, communication, employee engagement, and morale.

I have seen deliberate lying and making false statements to customers be condoned or let go because it either made someone look better or helped improve a performance metric (sales, lower number of incidents, avoiding data breaches, etc.). The more we accept and perpetuate this, the more we accept it from others in authority. False statements, whether they support an agenda you agree with or not, are still false, and wishing they were true doesn’t make them so. Our customers know this and pick up on them, and this damages relationships, sometimes irreparably.

Most important of all is that it made customers and team members afraid to report security incidents out of fear of retribution, being made fun or mocked for being stupid, fear of other forms of harassment, or nothing being done to address a pressing personal or business issue. Yet, because management chose not to see the issues at hand because they were so focused on making themselves look good, they thought everything was going well. As I always tell my team, eventually, this bad behavior gets found out. Senior leadership doesn’t get there by fiat in most cases. They are there because they know how to address business concerns in multiple dimensions and meet the needs of their customers.

What is this about?

It’s not about race, gender, sexual preference, or anything else. It is about threats to perceived power, an innate sense of superiority, and influence or playing politics. There are people in every industry who abuse power and gain happiness from manipulating others, and Information Security is no exception. It’s because these are people attacking the status quo and messing up complacency or power for others, making them do work they don’t want to do, and credibly demonstrating how vulnerable organizations really are. There are people visibly upset that we’re changing how they perceive security and shattering their long-held beliefs and they are very angry at that. They see us as a threat, especially to their power structure. The problem is many of them work in security. They see tools and consultants as something to hide behind to make themselves look good for senior leadership, as opposed to collaboratively working to address risk. Even the eminent threat of ransomware didn’t cause the changes that it should have.

Being complacent, blaming the messenger, and looking for the easy way out is a major reason we are where we are. Attacking others because of their point of view or because they see things differently is the opposite of where we need to be. It makes everyone else in security look bad.

It’s because of these people that we must be better and hold ourselves to a higher level. We need to demonstrate that with knowledge of different ways comes a more evolved approach that the business understands that also demonstrates knowledge of their needs.

We don’t have to be used to the way things are and don’t have to be used to train wrecks and disasters. Just because it happens doesn’t mean we have to be complacent in letting it remain. What example do we set by allowing them this to remain?  How do we look our family, friends, and customers in the face and truthfully give assurances that we are really doing the right things?  How do we set the examples for our teams in doing this?  Why are we perpetuating this and letting it happen?  How do we reconcile when we give someone a free pass for the Nth time?

What can we do?

We need to be very thoughtful about our actions. We need to be focused on the well-being of the organization, its customers, and its constituent team members. Playing politics does not do that. Protecting team members from complaints about all forms of bad behavior and using senior leadership to do so will eventually backfire and catch many others in its wake. The previous examples that happened at MIT illustrate that perfectly.

We need to be continually checking in with our customers, asking questions, listening, and acting. This isn’t retail where we ask people to give glowing reviews to get a $10 gift certificate off their next visit or purchase, pay review sites to bury bad ones, or use sock puppets on job boards to hide employee engagement issues and entice unsuspecting applicants looking for a fresh start in cybersecurity. We need to be continually engaged with not only our teams, but our customers and fellow team members.

We need to do what is right. The second we see ourselves focusing on the mission of the organization as secondary to ours, then we will most likely fail, and we need to correct it. When we see ourselves at odds with our own organization, we need to figure out why and try to resolve it. When we see bad behavior of particular people rationalized and excused, even by senior leadership, we need to say something and stand up. This includes truth as an absolute, and not accepting false statements or lies because they support an agenda or people we agree with. Perpetuating false statements makes you complicit in the lies.

When we see people gatekeeping to keep others out or manipulate others they do not like because they want to have their unquestioned little world where they can do whatever they want or power trip, we need to stop it. When we see security consultants and professionals who use fear, uncertainty, and doubt to scare others into paying for goods and services of little or no value, and using a perceived skill set as an excuse for treating people like garbage, we need to not only ban them, but keep them away.

We’re not here to fight our organizations or have turf wars. We live in a time where cyberattacks are no longer just the occasional worm or badly written VBA virus. These attacks shut down businesses and cause interruption of government services to citizens. They affect medical care and the ability to provide it. They cause production interruptions in factories and car plants. Our customers are genuinely scared of what is going on. They are approaching anyone that is remotely approachable and nice and asking them what to do to protect themselves. Even if it is not the best answer, they will get something that they perceive protects them to some degree or reduces risk, even if it doesn’t, because the people providing the solution treat them like human beings with dignity. Brilliant Jerks need not apply, especially when we deal with people on their worst days.

We need to be there for them and approachable. We need to answer their questions. We must constantly be on top of our game and be out there speaking with the team. Security is no longer something that the “IT guys” do. It’s no longer the provenance of jerks or condescending power junkies. It’s Information Risk Management, and we owe it to our customers to get out of the tunnel and work with them toward a vision of better security. That’s longer lasting than a coffee mug or sticker.

mitchellparker
Contributor

Mitchell Parker, CISSP, is the Executive Director, Information Security and Compliance, at Indiana University Health in Indianapolis. Mitch is currently working on redeveloping the Information Security program at IU Health, and regularly works with multiple non-technology stakeholders to improve it. He also speaks regularly at multiple conferences and workshops, including HIMSS, IEEE TechIgnite, and Internet of Medical Things.

Mitch has a Bachelor's degree in Computer Science from Bloomsburg University, a MS in Information Technology Leadership from LaSalle University, and his MBA from Temple University.

The opinions expressed in this blog are those of Mitchell Parker and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.