Cyber security – it’s not magic
I write and speak about this issue quite regularly. It’s one that I believe is vital to grasping cyber security’s place in the world.
Especially while many people are still remote, as AI excitement and fear floods media of all kinds, technology has become more and more central to people’s lives. We are talking about ways that things will or will not return to normal.
As we hear about more and more cyber security incidents, each supposedly carried out by ‘sophisticated threat actors with unprecedented capabilities’, it’s time to talk about the mystique of cyber security and the problem it has with public perception.
Security is the art (or science, though I believe science requires experimentation which isn’t something we can really do when dealing with security) of protecting an asset from a threat. In many security domains that is immediately clear and obvious to practitioners. In cyber security, information security, or IT security it can be muddied and hidden away from other security professionals, the people it should be protecting, and even many cyber security practitioners.
Cyber security is not magic
There is an incredibly common perception, encouraged by some cyber security professionals and companies, that cyber security requires some sort of arcane, obscure, special knowledge which only a privileged few can access. This perception not only discourages people from entering the field or even taking ownership of their own security, it also gives an impression that cyber is somehow outside the reach of anyone other than specialists.
With the media stories out there, thinking about cyber security is stressful for many and the promotion of this view drives learned helplessness. Learned helplessness is what happens when people repeatedly experience a stressful situation and feel it is out of their ability to control. Enough experiences like this, which doesn’t take many repeats, people stop trying to do anything, even when an opportunity to change arises.
Getting people out of learned helplessness
Getting people out of learned helplessness is difficult, and for years much of the cyber security industry and the media coverage has been driving the idea that not only is everyone under threat, but that protecting yourself from those threats is not possible without abilities beyond the reach of ordinary people. This has only grown with the massive increases in ‘cyber crime’ (or, for a more accurate term, usually fraud).
This idea extends to security professionals as well. Over the years I’ve had several conversations with experts in various security fields who are convinced that while they have expert knowledge, far beyond mine, in their security discipline, they need to leave cyber security to the specialists.
It’s a domain, not a discipline
Security is a discipline, a skills toolkit, more about learning how to approach situations in general than about the details of those situations. The skills involved in security are applicable across multiple different domains, and all in the pursuit of protecting assets from threats. Cyber is a particular domain, an area in which those skills can be applied. All of the skills developed in other domains of security can be applied to cyber security by learning to reapply the models you use to technology.
All of this is to say that cyber security is just security applied to a poorly-defined mishmash of technology and information security; it is not special, it does not deserve to be treated as an ivory tower, and absolutely anyone can not only learn it but excel if given the opportunity. There’s no need to have amazing technical skills, just an understanding of how the technology can be used and what attack vectors might exist. While the technical skills are useful, they aren’t essential for individuals to take ownership of their own security, or to protect other people. Call in the specialists when they’re needed, but take the time outside that to ask questions and learn.
Any cyber security professional who won’t help people to understand the field most likely doesn’t understand it themselves. To improve cyber security worldwide it isn’t enough to add new people to the field; we aren’t ever going to have enough and we struggle to get companies to understand what security they actually need in any case.
What most organisations need is a wider understanding of security throughout their organisation, not more experts watching screens to react when things go wrong.
We need everyone to feel comfortable when dealing with a cyber security situation, to not suffer from learned helplessness but instead to take control of their own security posture, take responsibility for their own protective measures, and ask for help where it’s needed. And of course, we need to fix our technology.
For years we’ve failed to design and build technology tools based on secure principles, and it shows. In most cases, designing secure systems would prevent threats from ever reaching the users they’re targeted at.
James Bore
Security Institute member