• United States




Lessons from Hawaii – how prepared should we be?

Jan 16, 20184 mins
Disaster RecoveryTechnology Industry

If something happens you’ve never seen before, how do you know what to do next?

2 problems panic running evacuation
Credit: Thinkstock

If you’ve paid attention the news recently you heard about the accidental missile warning that went out in Hawaii. I can’t imagine the terror that must have resulted from that mistake. There are certain things that just are never funny, this is one of them. I don’t see us ever looking back with fond memories on that event.

But there are some lessons for us. I really started to think about what would I do if I was in this sort of situation? How could I prepare for such an event? I realized that I have no idea what I would have done. This is the sort of thing you just can’t be ready for.

My mind eventually wandered to cybersecurity and how we could learn a lesson from this event and I kept thinking about how could you possibly prepare for this. Emergency preparation requires a certain level of understanding, and the reactions must be simple, but they can have enormous results in such a situation. I realized I lack the proper level of understanding for that type of emergency.

I don’t intend to go over what sort of activities are the most useful during something like an actual disaster. There are far better resources than me and I don’t want to give out bad advice. Bad advice can mean the difference between life and death. I don’t want that sort of responsibility. What I want to focus on is how this relates to our current cybersecurity environment.

The actual reality seems to be that most of the things we can do in nearly any emergency is are incredibly simple and can have huge impact. The very nature of humans is to let panic and curiosity take over, we forget basic things that can help prevent catastrophe.

My favorite example of this is after a large meteor treating cuts from broken glass is the biggest problem. This is because everyone looks out a window at the bright light, the shock wave then breaks the windows, sending glass into the onlookers. How would you know this though? I know if I saw a bright light outside I would go look out the window. Or at least that’s what I would have done.

Security isn’t really any different. We love to imagine situations where we have some sort of super attack that breaks into our environment and we get to use advanced techniques and tools to thwart the attackers. What’s the problem in this situation though? Is it an attacker, or is it us?

The simple answers are usually the best answers. Of course, that’s easy to say in hindsight, we don’t always understand what the simple answer to a problem is. We don’t always understand what the problem is in some cases. It’s very common to fail more than once before we understand what the actual problem is.

Our challenge as security leaders is to first understand the problem. It’s usually way easier to build solutions to problems that aren’t real. Spend time to figure out what your actual problem is. If we put this in the context of an emergency, if something happens you’ve never seen before, how do you know what to do next? Some people are very good at reacting quickly, most are not. Planning for the unknown doesn’t work. If you don’t understand your problem, you’re trying to solve the unknown. It’s not going to work.

Once you understand your problem you can start to think about how to make things better. Again, we love to overengineer solutions at this point. The simple answer is generally not just the easiest, it’s often the best. Simple and working is always better than complex and broken. If we look back to disaster planning, the most common advice you hear is usually “stay where you are”. That’s about as simple as it can be and plenty of people won’t follow it, many will meet with disaster. If you tried to give out instructions that needed ten complex steps nobody could follow those instructions.

Remember that during a mentally straining situation it’s very hard to comprehend lots of instructions. You need to keep things simple. If you’re in the middle of a compromise you must be able to react quickly with extremely simple steps.

The parting lesson to all this seems to be if we understand our possible problems, have a minimal amount of preparation in place, and have the simple solutions and instructions we can increase our chances of success greatly.


Josh Bressers is the head of Product Security at Elastic. Josh has been involved in the security of products and projects, especially open source, for a very long time. Josh has helped build and manage security groups for many open source projects as well as a number of organizations. Everything from managing vulnerabilities, security development lifecycle, DevSecOps, security product management, security strategy, and nearly any other task that falls under the security umbrella.

Josh co-hosts the Open Source Security Podcast. Josh is also an active member of the Distributed Weaknesses and Filing project which is in the process of leveraging the power of open source for CVEs.

The opinions expressed in this blog are those of Josh Bressers and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.