How to avoid a crash landing in cyberspace

The art of challenging your assumptions when it comes to cybersecurity.

maze / goal

Humans are like snowflakes. No two are alike.

Yet we often behave in a way that is the exact opposite; assuming people think and act just like we do. In cybersecurity, treating something as a truth rather than belief can lead to a project’s crash landing. Cases in point:

Assuring alignment

Your code may be 100% spot on, but it turns out that the code’s function isn’t in alignment with the work of the other engineers It’s not your fault. Rather the various teams working on the project had different specs.

Sounds implausible?

Just think of the 1998 Mars Climate Orbiter disastrous disintegration upon entry into Mars atmosphere. The culprit was that NASA engineers had used software based on the widespread metric unit of measurement while their partner; Lockheed Martin engineers used calculations for the hardware using the English unit of measurement.

The Orbiter burned up because both sides assumed the other guy was using the same kind of ruler.

Generating buy-in

Security crashes also a result when few believe in the project they are working on. Many times, info/sec personal dismiss the importance of an immediate problem; assuming that the danger of the situation is being blown out of proportion or underestimating potential flaws; such as in the Equifax breach. The antidote to generating buy-in to the seriousness of a problem is recognizing that what is an obvious problem or concern to you may not be obvious to others.

Peter Thiel is a highly successful, modern-day Renaissance man. His achievements include being a cofounder of PayPal, a professor at Stanford University, a hedge-fund manager, and author (with Blake Masters) of the best-selling book written for start-ups titled Zero to One: Notes on Startups, or How to Build the Future. In this book, he provides a humorous illustration of how what’s “cool” to you isn’t necessarily “cool” to others.

In PayPal’s early years, the company held a press conference to introduce PayPal payments using a PalmPilot, one of the first tablet-based devices. The concept was to demonstrate how people could beam money from their PalmPilot to someone else’s. Many of the original employees of PayPal were engineers. And they thought that Scotty from the original Star Trek TV show was really cool because he was also an engineer. So when they held a press conference to announce their service of digitally sending money, they assumed that engaging the actor James Doohan, the original Scotty on Star Trek, to kick off the event was a no-brainer and people will flock in droves to meet him. In addition, they would have him say something like, “Beam me up some money.” Uttering these lines would make PayPal immortal, would drive huge press, and then definitely go viral.

Unfortunately, not everyone shared this enthusiasm. Very little of the press came, and those who did weren’t at all excited when James Doohan appeared. Thiel admitted that he and his PayPal peers learned an important lesson: the world doesn’t always think like engineers. In other words, what is really cool and exciting to you may prove to a real yawn to others. Instead of exciting them to buy-in to your vision or info/sec strategy you put them asleep.

Stop making assumptions. Right? No, wrong

The stories above will understandably lead you to a simple conclusion: stop make assumptions. This couldn’t be further from the truth. An assumption is something you treat as a fact, rather than a belief. It’s often subconscious and therefore taken for granted.

Yet assumptions are integrated in everything you do—whether programming software, planning your day or a meeting, designing a strategy, or starting up a company or a new family. Another way to look at this is to understand that assumptions are neither good nor bad as they serve an important function in your decision-making process. Assumptions are like breathing. You can’t live without them.

So, what is the solution?

The key is to raise your level of awareness so that you can recognize when you are making an assumption and then decide how you want to manage it. Managing your assumptions is what drives success – ignoring your assumptions or denying you make them often has the opposite effect. A good question to ask at this point is, “How do you recognize most assumptions if they are made subconsciously?” There is no one answer to this question, but a fast solution is to listen to what you and others are saying in response to thinking differently and making a change.

You can often recognize these assumptions via verbal cues:

  • Can’t be done – impossible.
  • Not enough time or money or... (fill in the blank).
  • We tried it last year and it didn't work.
  • The client will never buy it.
  • They are not giving me the support I need.

Over time I have collected a number of these verbal cues from all walks of business and put them into a database called the Dangerous Assumptions Database (DAD). The DAD’s nomenclature pays homage to a famous leadership quote that “assumptions are the MOTHER of all screw-ups.” The DAD helps you identify these MOTHERS and then quickly identify certain beliefs that we treat as truths. In cybersecurity/infosec these include:

  • “I’d never do it that way.” (thinking that the world thinks like you)
  • “We are smarter than our enemy.” (believing that you and your team are the best)
  • “This is good code.” (wanting to believe that the source code run through the compiler translates without flaws)
  • “No one would ever do that.” (thinking that if you can’t imagine doing something, others won’t imagine doing it as well)

The art of challenging your assumptions will be discussed in further blog posts. But for now, just having the awareness that you are making an assumption provides you with an incredible power that enhances your ability to see beyond a one directional belief that, like the NASA Mars Orbiter, catastrophe will leave your cyber security efforts to crash and burn.

By admitting you make assumptions and then surfacing them you, instead, will be able to see new alternative and solutions that provide you and your team with a happy and safe landing.

This article is published as part of the IDG Contributor Network. Want to Join?

New! Download the State of Cybercrime 2017 report