From Cantankerous to Competent: My Journey Through Cybersecurity's Illusions
Let's be candid for a moment: the cybersecurity industry is riddled with individuals who mistake being irritable and contentious for being skilled. We love to eat our own in their worsts times. I've walked this ground for almost two decades, and I've played that character—the exasperated one who thinks, "No one gets it!" or worse made fun of someone's breach. However, I've grown, and it's about damn time you considered doing the same.
My Transformation: The Tables Turn
If you'd met me years back, you'd know a guy who was quick to lose his cool, all because I felt that non-technical stakeholders were completely clueless. Then, there I was, at a leadership roundtable, drowning in a sea of business metrics like LTV/CAC ratios and ARR projections. That was my moment of reckoning: I was equally clueless in their domain. Suddenly, I couldn't afford to be dismissive.
Let's delve into an example to illustrate this. Imagine you put together a funding request for the Incident Response (IR) team. You based it on projected needs, perhaps some emerging threats, and maybe you threw in some nice-to-haves, but ultimately, the request gets denied by finance. What's your first reaction? If you're like most of us in security, you might go back to your team grumbling, "Finance just doesn't understand; they're jeopardizing our security!" and thereby making finance the enemy in the eyes of your team.
But let's dissect this a little. Did finance really not understand, or did we not communicate the proposal in terms that were meaningful to them? Did we articulate how this funding request would impact EBITDA, for example, or reduce the costs of a potential breach? Or did we use the language of fear, uncertanty and doubt? We get so trapped in our own echo chamber that we forget other departments have their own metrics, their own pressures, and their own expertise.
Now, consider another scenario where you ask a development team to fix a security bug, and they tell you they have other, more important goals. Again, the temptation is to think, "They just don't get it; they could jeopardize the entire company!" But hold on a second. What if their goals are tied to revenue objectives or customer retention? Isn't that important too? Maybe they're working on something that, if delayed, could cost the company in other ways, ways that might be as significant or even more so than the bug you want fixed. The problem is not that they don't understand; the problem is that we often don't take time to understand them.
Both of these examples are more than just a breakdown in communication. They reveal a critical lack of empathy and understanding towards the specialized knowledge and priorities of others. When we realize this, the tables indeed turn. We come to see that everyone brings something vital to the table, and just because it's not our expertise doesn't make it any less valuable. This shift in perspective doesn't just make us better at our jobs; it elevates the whole organization.
The Sky Is Falling! Or Is It?
We've got a credibility problem in cybersecurity, largely because we're so quick to sound the alarm. We behave like modern-day 'Chicken Littles,' proclaiming doom with every new vulnerability, as if each one is about to bring down the Internet. Not only is this approach ineffective, but it's also actively harmful. It shifts our collective attention away from manageable, actual risks to hypothetical calamities.
Take the recent frenzy over an alleged Signal 0-day vulnerability as a case in point. The moment the rumor hit the cyber streets, the industry erupted in a blaze of warnings and precautionary advice. And what happened? Signal stepped in to deflate the whole thing, effectively saying, "Calm down, there's no fire here." Could Signal be concealing the truth? It's possible, but that's not the point. The issue is that we raced to judgment without waiting for verified information. The result? We looked rash and unreliable.
And don't get me started on the absurdity of vulnerabilities now having their own branding—complete with logos and marketing campaigns. What, no logo? Then it must not be a big deal, right? This is an embarrassing state of affairs.
Eating Our Own: A Zero-Sum Game
The cybersecurity community sometimes resembles a cannibalistic society, and nowhere is this more apparent than in our social media behavior following a significant breach. Take the recent Okta incident as an example. Keyboards were ablaze with rants, raves, and unsolicited advice from so-called experts, many of whom could easily find themselves the subject of the next day's headlines. This isn't just counterproductive; it's embarrassing for the community.
We have tangible, effective solutions like WebAuthN, which could significantly reduce risks like phishing attacks, but instead of focusing on the deployment of such technologies, we waste time engaging in armchair quarterbacking. Oh, and if you can't get WebAuthN deployed maybe you are selling the wrong thing, you can reduce friction for the whole company with stronger identity assurance. It's not hard to see that there's rarely anything novel in the ways companies get breached; the vulnerabilities are often well-known, and the fixes are available. We need to cut the public flagellation and get serious about applying the solutions we already have at hand. By doing so, we'll be less of a social media spectacle and more of a unified front that can effectively combat cybersecurity risks.
WebAuthN is a modern security standard that enables users to log into services using biometrics (like fingerprints or face recognition) or physical devices (like security keys), without the need for passwords. Crucially, it binds the login to a specific website, making it resistant to phishing attacks where scammers try to trick people into revealing their credentials on fake sites. By removing the password element and adding domain-specific binding, WebAuthN provides a more user-friendly, secure, and phishing-resistant way to access services.
Learning to Speak Human
Ever listened to how we converse with people outside our circle? It's usually a mix of jargon that doesn't clarify but confuses. If we claim expertise, then it's our damned responsibility to be effective communicators, not just effective coders or analysts. And I'll tell you why this is so critical.
Firstly, we're not just dealing with computers; we're dealing with humans who use computers. That means our audience includes everyone from the boardroom to the breakroom. These are people who may not know the difference between an SQL injection and a phishing attack, and guess what? They don't have to. It's our job to bridge that knowledge gap and not by bringing them to our level of understanding. Oh, and they are going to click everything and that's okay - hyperlinks were invented to be clicked and it should be safe if we are doing our jobs (see WebAuthN).
Secondly, convoluted language and a holier-than-thou attitude contribute to a toxic environment that excludes non-technical stakeholders from important conversations. When you use terms like "zero-day exploit" or "Advanced Persistent Threat" without explanation, you're essentially saying, "This conversation is not for you." That's a huge problem because cybersecurity is most effective when it's a team effort that includes everyone in an organization. Often, I have had more valuable input outside the organization on our security strategy than inside the organization. That isn't because the team isn't wickedly smart, it's just we don't have the same perspective as others and if we don't make room, we will never hear them.
Thirdly, poor communication creates barriers to action. When threats are discussed in ways that are unintelligible to those responsible for budgeting, don't be surprised when the funding for your latest threat-hunting tool gets denied.
Lastly, effective communication is crucial in crisis situations. During a breach or an ongoing attack, clear and understandable communication can mean the difference between effective incident response and utter chaos. And let's be honest, when things hit the fan, the last thing anyone needs is a cybersecurity expert mumbling jargon.
Being a brilliant coder, an astute analyst, or a skilled hacker is not enough. If you can't communicate your expertise in a way that others can understand and act upon, you're failing in one of your essential roles as a cybersecurity professional. It's time we stop speaking like we're addressing a room full of clones and start communicating in a way that educates, includes, and empowers everyone around us. If you can't do that, you're essentially part of the problem, not the solution.
The Price of Anger: Opportunity Costs and Emotional Toll
I don't know if we are angry, maybe it's just me frustrated by how we treat each other, but we sound angry. Anger does more than just give us a bad reputation; it imposes real costs—both tangible and intangible. Tangibly, the time and energy spent fuming could be redirected towards productive tasks, like innovating on security measures (see WebAuthN), training team members, or refining processes that actually make the digital world safer. These are what we call opportunity costs. They might not show up on a balance sheet, but they are real, and they do have an impact on an organization's security posture.
On the emotional side, let's not underestimate the psychological toll that a perpetually angry or hostile work environment can take on a team. High stress levels, burnout, and a higher rate of employee turnover are all associated with such toxic environments. It's bad for morale, and it's terrible for productivity. In a field that demands focus and collaboration, these are resources we can't afford to squander.
The Way Forward: Compassionate Competence
The times are ripe for a paradigm shift. We don't need a cybersecurity landscape saturated with swaggering lone wolves who can't explain what they do to a five-year-old or a fifty-five-year-old. What we need are empathetic experts—professionals who are not just proficient in their technical skills but also excel at human interaction.
Why? Because the latter skill set is what enables the former to be truly effective. Your ability to protect a network or mitigate a threat is massively amplified when you can also communicate that value to stakeholders or educate an entire organization on best practices. Empathetic expertise turns the technical into the actionable.
A Call to Action, Not a Conclusion
Here's the harsh reality: the cybersecurity industry needs to mature, and it needs to do it fast. My journey from being a hot-headed, short-sighted cynic to a more balanced, thoughtful professional didn't happen overnight, and it wasn't easy. But it's a transformation that more of us need to undergo.
We need to pivot from being a tribe of insular, often irritable experts to becoming a community of compassionate, articulate, and collaborative professionals. If we fail to make this transition, we risk devolving into a backbiting clique that squanders its potential, alienates its allies, and—most tragically—fails to make the meaningful impact that the times so desperately require.
So, don't consider this a conclusion; consider it a call to action. We have the technical tools; we have the intellectual talent. What we need now is the emotional intelligence and the maturity to use them wisely. Anything less would be a disservice to ourselves and the organizations and individuals we vow to protect.