Human beings at their very heart are story-tellers and observers of narratives. In fact, our brains are constantly finding ways to make meaning out of often random and disconnected events to form an over-arching narrative of our lives that makes sense.

Charl van der Walt, chief strategy security officer at SecureData

In cybersecurity the narrative is too often about fear, uncertainty and doubt (FUD): a tale which we’ve been voracious consumers of for too long. Companies are usually portrayed as victims: weak, timid prey waiting to be pounced on by the hungry, predatorial cyber-criminal. Vendors and, in turn, the media, amplify this negative tone by focusing hysterically on what the bad guys are doing.

I propose an alternative narrative which uses a different type of language that urges a focus on a bigger picture.

Hunter and hunted: the FUD-driven cybersecurity narrative

In this narrative of FUD perpetuated by much of the cybersecurity industry, the Black Hats are positioned as the hunter: shadowy figures working away in the darkness to snare and penetrate organisations for personal or political gain. It’s a powerful analogy which plays to our basest fears – painting us as prey constantly on the run from some predator – like a gazelle on the run from a lion. But it’s also responsible for an overwhelmingly reactive approach to online threats. The gazelle runs instinctively from the lion: it doesn’t plan ahead of time to work on strategies to make itself harder to catch.

Perhaps even more insidiously, the lion/gazelle analogy creates two very powerful but very false corollaries. The first is that we can outrun the lion. By running fast enough until she tires out or gets distracted we can ultimately avoid capture. The second is more subtle: that we don’t actually even have to outrun the lion, but that it will serve just to outrun the other gazelles. As long as there is other prey more vulnerable or less nimble then we are then they will ultimately fall victim to the hunter, not us.

It’s true that better standards, smarter people and better intelligence can go a long way to improving our response to security threats. But to an extent these measures can only go so far. Whether subconsciously or not, our humanity always brings us back to the narrative. That’s why we also need to consider changing the hunter-hunted analogy if we are to change the way we do security — and move from a reactive and underprepared to a proactive and purposeful stance.

Running with the bulls: an improved cybersecurity mindset

We’re often distracted as an industry by the latest big-name threats. The marketing departments of security vendors and research institutes have had a great time of late dreaming up catchy, doom-laden names for them. KRACK, Heartbleed, Spectre, Meltdown, WannaCry – the list goes on. But it only serves to reinforce the old hunter-hunted dynamic.

It might be more constructive to think of cybersecurity not in terms of a lion and its prey but of a running with the bulls. After all, the threat landscape is similarly chaotic and random; there is no end in sight, just new bulls and an endless stretch of road to run.

If we follow this analogy, we recognise that the chaos and unpredictability introduced by an adaptive adversary are our constant companions and that constant awareness, engagement, re-assessment, realism and adaptation must characterise our response.

In this chaotic world there’s little correlation between what you invest into security, and how much risk-reduction you can expect to enjoy as a result. There’s also no such thing as “baseline” security. Doing security better than your rivals is not enough, and compromise of some sort remains a question of “when” not “if”.

The bigger picture

Basic cyber-hygiene like patch and vulnerability management are vital elements which will keep the organisation as resilient as it can be - there’s little point in investing in sophisticated, expensive security if you haven’t got these basics right.

However, the truth is that we live in a chaotic world with no end game in sight. This is a reality the security industry needs to come to terms with and embrace, rather than perpetuating the lion-and-its-prey narrative.

If organisations better understand their online foes, adapt their strategies accordingly and work to master the basics of cyber-hygiene, they stand a great chance of outrunning as many of these bulls as possible. But just as important is appreciating that you can’t outrun them all.

Share this article