Paranoia, Skepticism and Other Virtues

Let’s try a quick thought exercise: I want you to pinpoint a single day in recent memory where you didn’t think, hear or read about a security breach. It’s tough to do because they have become a part of our daily lives. One day it’s a news story about the latest megabreach, the next it’s your coworker’s credit card data being compromised on a business trip, followed by your executive board talking ‘what if’ scenarios. Internalizing these situations and being skeptical of cybersecurity, and maybe even a little paranoid, can be a very good thing.

DarkReading’s Corey Nachreiner suggests the perfect security professional mindset blends ‘a dash of paranoia paired with a side of skepticism,’ which really isn’t a bad way to look at IT security. There are a few caveats to this state of mind, however, in that sheer paranoia alone can turn into knee-jerk panic if left unchecked. The key is to keep doubts rooted in reality and turn that anxiety into preventative action items such as routinely reexamining threat data and comparing results week after week to track trends and persistent threats.

Being a skeptic in today’s digital landscape goes beyond just doubting everything. What’s needed now is scientific skepticism, or the practice of not accepting new concepts or beliefs until there is concrete empirical evidence supporting them. In practice, the distinction between true paranoia and healthy skepticism lies in the differences between reactive and proactive actions.

For example, say you suspect there’s been a data leak somewhere within your enterprise as a result of a new kind of malware your team discovered. A strictly reactive approach would mean immediately cutting off all access to the affected assets, putting your security team (and others within the organization) on high alert. A more prescriptive and proactive course of action would be to act on the answers to questions like: What actually happened? Is there any kind of pattern and have we seen this before? What do other people know about this specific threat? What are the least amount of resources we can take offline to fix this problem? What do we do if it happens again?

As cybersecurity professionals become aware of more and more new vulnerabilities, zero-day bugs and malware exploits, their direct reports at the management level might be turning off from alarm fatigue. As a result, leadership within certain companies have begun to put their ‘head in the sand’ regarding information security.

According to a recent BlackHat attendee survey done by research firm DomainTools, 35 percent of respondents said their leadership lacked a ‘healthy paranoia’ and 21 percent said their leadership were relying on ‘hope as a strategy’ to avoid a security attack. The number one complaint was that boards made security decisions without involving those closest to the risk. While this silo’d mentality certainly helps no one, it’s troubling to note that nearly a third of the respondents cited the concern that leadership viewed security as strictly an IT problem.

While generalized ambivalence toward IT security within an organization is nothing new, it might take a little bit more to get decision-maker sign-off on critical security items due to the increasingly insular nature of today’s leadership. Taking a more proactive approach toward security conversations, putting things in simple terms and using real-world ‘what-if’ scenarios will help leaders recognize the importance of taking IT seriously again. That way, when the time comes to react to a real threat, your board can be the ones wearing the tinfoil hats.

Related Articles