Cybersecurity Awareness Month: Increasing our self-awareness so we can improve security

With the increased prominence of cybersecurity in organizations due to many crippling cyberattacks, the emphasis is now on continual engagement, as it should be. It’s also important to address the tunnel vision that has plagued the field, and how we need to combat it before we can make it to the next level.

Cybersecurity awareness  >  A weary businessman holds hand to forehead at security training.
BraunS / Getty Images / Thinkstock

October has been National Cybersecurity Awareness Month since 2004. According to staysafeonline.org, this initiative was started by the National Cybersecurity Alliance and the US Department of Homeland Security to help all Americans stay safe and secure when online. This month is usually marked with a significant uptick in cybersecurity outreach and training. It’s also the one month of the year when you can get a significant amount of cybersecurity swag such as webcam covers, mugs, and pens. This event has an outward focus to raise awareness of security globally,

Many other events have come into existence along with this. For example, there are numerous electronics recycling events that now occur in October where people can securely dispose of their old computers. Some municipalities have extended this to include safe disposal of old prescription medications, paints, and other hazardous materials.

Recent events in the greater technology community, specifically the resignation of Richard Stallman from both MIT and the Free Software Foundation, have become character foils that show us that while we have come a long way, we still have a long way ahead of us to improve.

Instead of focusing this month on how we can improve our outreach to customers, I think it’s more pertinent that we use this month to focus on ourselves and how we can increase our self-awareness to provide better security and escape the issue of tunnel vision. With the criticality that many organizations face in the recent explosion of targeted ransomware, IoT attacks, and data breaches, people need Information Security more now than ever. We need to combat tunnel vision and its associated issues to help turn around the perception of Information Security and increase its effectiveness.

What is tunnel vision?

Tunnel vision is a naturally occurring behavior. According to the website Situational Awareness Matters, it’s a tendency to focus on a single goal or point of view. The more important a goal is, or the more threatening a stimulus is perceived to be, people are more likely to focus attention on it. This has been used as a very effective manipulation tool to get people to focus on one area without taking others into consideration. It short-circuits critical thinking.

Scientists are often very focused and disciplined by nature. They work on important and lofty goals. This was lampooned on the TV series “The Big Bang Theory,” featuring a brilliant yet idiosyncratic scientist in Dr. Sheldon Cooper who was so focused on logic, his point of view, and his goals that he often offended or shut out others with his tunnel vision. While he finally gave credit to others in the final episode after a particularly bad incident, this behavior was used over 12 seasons for comedic effect.

In the real world, there’s no laugh track, and we don’t come to resolutions in 22 minutes. Tunnel vision can cause people to lose focus of what is important and happening around them. It can cause them to not understand the consequences of their actions. This has real-world effects, and people will get hurt and offended. Unlike the comments Dr. Cooper made that hurt others around him, those effects last a lot longer than an episode or two and don’t disappear to increase viewership.

Tunnel vision means numerous things. First, it means that we don’t see what the effects of our actions are and that we focus too much on the minutiae and not enough on customers. We also cut out as unimportant anything else that does not involve our immediate area of control. We treat our customers how we think they should be treated instead of how they need to be.

It also means that we become blind over time to bad behavior and its effects, because we are so focused on the goals at hand that we neglect to see how our actions affect our stakeholders. We also see these goals as having more intrinsic worth than those of others, and don’t give value or consideration to them. This leads to the beginnings of supremacy, and the de-valuation of others. This puts us at the beginning of a downhill slope where we find other reasons to attack others and devalue everything they say because they fit certain labels, without being objective or considerate in how we treat others. Social Media and the echo chambers it facilitates have amplified this significantly.

How did we get there?

Tunnel vision shuts out or minimizes anything but the perceived objectives. It’s about having a perceived mission that overtakes everything else and believing in it so strongly that you rationalize bad behavior as either necessary or a necessary consequence. It causes the rationalization that your behavior and actions are worth more than others’, and that the actions you take, even if they offend or hurt others, are worthy and necessary. This causes people to ignore obvious items and not think about consequences from their actions.

A prime example of this was the MIT administration ignoring complaints about Richard Stallman’s behavior for years from numerous women because he brought prestige to the campus through his software development work and evangelizing of Free Software. The MIT Media Lab administration willingly overlooked the donations from a convicted sex offender because they funded projects and initiatives that increased their prestige. Due to the tunnel vision of the late Marvin Minsky and Joichi Ito, MIT has a serious credibility crisis they need to address.

How do we see this in the workplace?

I’ve been in IT and infosec for over 20 years. There are several root causes of security issues. Complacency/indifference is the biggest one I have seen, followed by self-centeredness, making excuses or rationalizing, resistance to change, defensiveness (and its associated attacks), competitiveness, celebrity worship, and integrity/values/truth alignment. I am by no means saying I am perfect and have never been guilty of any of these or am trying to preach. I’m trying to help others not repeat the mistakes and lack of introspection that put many of us and the profession in a bad place. The goal here is to help us out of tunnel vision and toward better relationships that last longer than swag by using mirroring and modeling. We want to get to a point where we avoid viewing ourselves as superior to others and justifying bad behavior. Nobody is entitled to bad behavior or to be able to force others to do what they want.

Since there is greater visibility on security, we must hold ourselves to higher standards. The way we carry ourselves is now visible across the organization. Technology is no longer data processing, and the team isn’t hidden in the data center or computer rooms anymore. Due to multiple events involving ransomware and other major events, we are now front and center, and we have growing pains. We also can’t be crying wolf or pretending to be Chicken Little all the time anymore.

I realize that as I sit here writing these words that complacency, indifference, and tunnel vision have been the rules of the game, and that for better or worse that many have perpetuated the need to keep things as they are. More importantly, I’ve seen an industry that has a lot of people who want to keep others out because it makes them do something different and/or interrupts their little world. Many of them view themselves as superior to those they are supposed to serve. It only takes a few of them to ruin an organization.

This is nothing against the many hardworking people who truly fight to improve their situation and work very hard to earn the continued trust of their customers. We salute and encourage them and celebrate their existence and willingness to advance the profession. We want to add to their ranks because we will never have enough of them. The many leaders that teach and live Servant Leadership need to be multiplied tenfold.

We have too many people who want to push a button, look like they’ve solved the world’s problems, and have an easy time doing so. They don’t want others involved because they bring a different point of view that may be different and involves doing more work to address problems. This causes them to focus their attention on those who bring the different point of view as opposed to the problems and issues they may bring up that require less work and make them look better, while keeping their sense of superiority and condescension. I’ve seen nothing but insults from the self-appointed tech gods who keep others out because it messes up their business model to have anyone that asks questions. I’ve had a fellow team member accosted by a security consultant who yelled at him and said “It seems every place you work I don’t get any business and you’re costing me money!”.

I’ve been on the receiving end of negative feedback (and much worse) from customers who have been fed up with previous attempts at security. I have had to deal with the negative effects of multiple people believing they were innately superior causing major issues across multiple organizations because they just didn’t see others as equals or give them consideration. If there has been one constant in my career, it has been addressing the fallout from people and companies who do not listen to or give any kind of weight to their customers and stakeholders. The first company I worked for full-time as something other than tech support received many large projects due to customers who were looking for better providers who could meet their needs. My career has been built around rectifying these situations.

I’ve also seen security “professionals” purposely steer away from teaching others about security, even the basics that the customers ask for, out of fear that people will learn more and not need to depend on them. I’ve also seen indifference to actual issues being discovered many times, along with outright hostility and passive-aggressive threats to derail initiatives. I’ve also seen indifference to bad behavior because it was perpetuated by someone higher up, and rationalization that the behavior was warranted.

I’ve seen horrible behavior continually excused and rationalized because it was perceived that the perpetrators either saved significant amounts of money, kept the organization running, or knew about security. Rather than help these people learn how to operate in a professional environment, provide leadership and mentoring, or counsel them out because of their bad actions, management chose the path of ease and let toxicity reign at the expense of the rest of the organization. I have watched this destroy teams, communication, employee engagement, and morale.

I have seen deliberate lying and making false statements to customers be condoned or let go because it either made someone look better or helped improve a performance metric (sales, lower number of incidents, avoiding data breaches, etc.). The more we accept and perpetuate this, the more we accept it from others in authority. False statements, whether they support an agenda you agree with or not, are still false, and wishing they were true doesn’t make them so. Our customers know this and pick up on them, and this damages relationships, sometimes irreparably.

Most important of all is that it made customers and team members afraid to report security incidents out of fear of retribution, being made fun or mocked for being stupid, fear of other forms of harassment, or nothing being done to address a pressing personal or business issue. Yet, because management chose not to see the issues at hand because they were so focused on making themselves look good, they thought everything was going well. As I always tell my team, eventually, this bad behavior gets found out. Senior leadership doesn’t get there by fiat in most cases. They are there because they know how to address business concerns in multiple dimensions and meet the needs of their customers.

What is this about?

It’s not about race, gender, sexual preference, or anything else. It is about threats to perceived power, an innate sense of superiority, and influence or playing politics. There are people in every industry who abuse power and gain happiness from manipulating others, and Information Security is no exception. It’s because these are people attacking the status quo and messing up complacency or power for others, making them do work they don’t want to do, and credibly demonstrating how vulnerable organizations really are. There are people visibly upset that we’re changing how they perceive security and shattering their long-held beliefs and they are very angry at that. They see us as a threat, especially to their power structure. The problem is many of them work in security. They see tools and consultants as something to hide behind to make themselves look good for senior leadership, as opposed to collaboratively working to address risk. Even the eminent threat of ransomware didn’t cause the changes that it should have.

1 2 Page 1
Page 1 of 2
Get the best of CSO ... delivered. Sign up for our FREE email newsletters!