Information Security Isn’t About Information or Security
NOTE: Throughout this article, I’ll refer to “we” and “us”. This collective is defined as me, FRSecure employees, SecurityStudio employees, our families, our customers, our partners, and everyone else who thinks in similar ways.
We have a strong belief that:
Information security isn’t about information or security as much as it is about people.
The fact is, if people didn’t suffer when things go wrong (cybersecurity incident, data breach, etc.), then nobody would (or should) care. Obviously, people do suffer, and we DO care.
There’s a second point related to our belief, it’s the fact that people (NOT technology) pose the greatest risk (to themselves and to each other). Technology only does what we tell it to do, but it’s people who tell technology to do the things that are risky (click links, download files, misconfigure settings, etc.).
We’ve held fast to this belief for years, and it’s not just a catchy saying. This is a deep belief we apply every day, in all that we do. For example, our sales team only sells what people need*, our analysts pour their heart and soul into every project, we’re committed to being product agnostic, and we always sleep well knowing we did right by the people who count on us.
*A rumor has been circulating for years at FRSecure; if you sell something that a customer doesn’t need (i.e. money-motivated BS solutions) I’ll run you over with my truck. I want to dispel this rumor. I will NOT run you over with my F250 (officially). Unofficially, this is a good rumor. For the record, I’ve never run anyone over (yet).
Why am I bringing this up again, and why now? Simple, I think it’s relevant.
People who love other people make the best information security people.
When making information security decisions, it’s important to feel the weight of those decisions. Especially when the information you’re protecting isn’t yours, meaning you’re not the one who suffers when it’s lost or stolen.
Relevance to Current Events
We’ve lived our belief (about people) for years, and it’s as relevant today as it’s ever been. People are suffering, directly and/or indirectly from the results of information security incidents. These are people from all walks, regardless of race, religious beliefs, economic backgrounds, political affiliations, or sexual or gender preferences.
Risk doesn’t discriminate, and neither do threats (attackers).
This is true in general terms. There are always specific threats targeting specific groups; however, in general, risk by itself doesn’t discriminate. Even if you’re not specifically targeted, you’ll still encounter some degree of consequence. In today’s world, most of us are digitally connected. In fact, most of us are digitally connected through a mesh of associations; networks, applications (SaaS platforms, social media, online shopping, and other shared services), etc.
The truth is we are all at risk, and people DO suffer. When people suffer, we shouldn’t roll over an take it. We all should get a little (or a lot) pissed off! People taking advantage of others should raise an ire in all of us. Playing the victim helps no one.
Beyond the non-discriminatory nature of information security, there’s additional relevance related to focus, emotions and lack of personal accountability.
While we’re focusing on VERY legitimate racial injustices in our society, the attackers are still attacking. Attackers know that we’re not paying as much attention to them, and they’re crafting attacks that are more likely to succeed given our emotional state.
Attackers are taking down (DDoS) local and state government websites and services, using language like “Black Lives Matter”, “Peaceful Protest”, and “Support Racial Injustice” as click bait (opposed to legitimate causes), and setting up fake fundraising sites to lure people into giving money for fake causes.
Attackers always use current, well-known, and emotion-laden events to take advantage of panic, fear, and compassion. The attacks happen every time these types of events, and it’s because they work. The attacks work so well that attackers don’t even bother changing their tactics.
Do your best to maintain (at least some) focus on information security. Easier said than done for some of us, but you can do it if you try!
When emotions run high, we are quicker to react, and more likely to find ourselves in bad situations. This is due to the way our brain works. Our left brain is more pragmatic and tells us to act logically, while our right brain tells us to follow our heart. In a “normal” state, the left brain and right brain wrestle for control of a decision and the result is a compromise between the two. In highly emotional states, the right brain tends to dominate our decisions and logic takes a back seat. We think less and react more.
People are beautiful. Human beings are delicate and intricate systems, yet we come with this magnificent resilience that seems to defy logic. Most (or maybe it’s many, I don’t know) of us posses empathy, compassion, and love that are interwoven perfectly together. While these things are true, sometimes our emotions get the best of us, and we do things we wouldn’t normally do. It almost seems like things get a little jumbled when we’re in a highly emotional state.
There are at least two important tendencies that are more common for us when we’re in a highly emotional state:
- We make more mistakes. In our rush to act, we’re more likely to act before thinking things through to a logical conclusion. The right brain sorta kicks our left brain’s ass.
- We open ourselves more to manipulation. If an attacker knows you’re in a highly emotional state, it’s easier to use these emotions against you. Let’s say that you’re torn up about racial injustice. You feel the need to do something about it, driven by your deep compassion for others. If an attacker makes up a compelling story about how you can help right some of the wrongs in our society, don’t you think you’d be more likely to act on it? In a less heightened emotional state, you might be more logical about it the decision to help, be skeptical, and even do some research first.
If you can learn to recognize where your decisions are coming from, you’ll be better prepared to make good decisions. This takes self-discipline and honest introspection. For the time being, it might make sense to put off important decisions until after you’ve had time to process your emotions. Maybe take some time off.
During tense and emotional times, there is a much stronger desire to hold people accountable (for something or anything). We’re quicker to assign blame, point fingers, and lash out at anyone we perceive to be going against our personal version of right. This is true in societal issues like racial inequality and to some extent it’s also true with information security. In our rush to hold someone externally accountable, we lessen (even more) our own personal accountability.
Sadly, a great number of people think that their information security is somebody else’s responsibility. The truth is, you’re the one who’s primarily responsible for your own information security, privacy, and safety. Nobody cares about (or should care about) your information security more than you. If information security doesn’t motivate you, maybe your privacy will. If that still doesn’t work, maybe your own safety, and the safety of your loved ones will motivate you to act. In today’s world, safety, privacy, and information security can’t be separated.
Sure, there are others who play a role too, but you are responsible for all parts of information security for which you can control. You can control what your children are accessing online. You can control patching of your home network equipment. You can control which passwords you choose, what applications you run, and which websites you visit for entertainment.
What to Do
So, I covered a lot of stuff. Mostly educational stuff. Now, the practical stuff (hopefully).
The best thing you and I can work on is our habits. If we take the time to learn and form good information security habits, we’ll be in a much better spot to protect ourselves from attackers, especially in light of world-shaking events. Habits form a mindset of default actions, and default actions form a baseline that’s less likely to change, even in response to high stress situations.
Develop an information security program that fits with your culture and master the fundamentals. A good security program is built around risk management and risk management starts with:
- An intimate understanding of what “risk” is.
- Management commitment, not just endorsement.
- An objective and measurable risk assessment.
- A roadmap built from the unacceptable risks discovered in the risk assessment.
- Execution of the roadmap using creative solutions and processes that fit your culture.
- Re-assessment and repetition. This builds the habits.
If your information security program is counter-culture it won’t result in good habit forming. If you can’t secure management commitment, you’re just going through the motions.
You are the CEO at home, you make the calls, and you are ultimately responsible. The same process outlined above for businesses applies at home. You will need management commitment (you), an objective and measurable risk assessment (see below), a roadmap for improvements, action to implement the improvements, and repetition.
At SecurityStudio we’ve built all of these steps into a simple and FREE tool called S2Me. The only thing we couldn’t build into the tool is your commitment. That’s on you.
There’s too much hate in the world, and we don’t want to make problems worse. I can only think of one thing I hate, and it’s people taking advantage of other people. For me, it’s the lowest of the low. Today, we’re witnessing riots all across the country (and world). They’re not about information security, but they’re about people taking advantage of other people. It’s all bullshit, and it needs to stop! Learn and play your role in information security, and don’t let yourself be a helpless victim.