I freely admit I borrowed my title from former US Senator Al Franken’s 2003 book Lies and the Lying Liars Who Tell Them.1 But I think it is time we as security professionals take a good hard look at ourselves and admit all the ways that we are lying…to OURSELVES!
In the 1992 blockbuster movie A Few Good Men 2, actor Jack Nicholson famously said, “You can’t handle the truth!” Turns out, he was right. In her book Lies We Tell Ourselves, author Courtney Warren wrote, “The truth is that we can’t handle the truth. Self-deception comes from not having enough psychological strength to admit the truth and deal with the consequences that will follow when the truth is acknowledged.”3
How am I doing so far? I have said that security professionals are liars, they cannot handle the truth and that they do not have enough psychological strength. Those who are still reading are perhaps braver than the average security professional.
So, what is it we are lying about? Protecting data. We do not like to admit to ourselves or others that we are unsure of how to defend data. Face it, the number of ways that you and your organization could be hacked is almost infinite. Every day, we hear about some new breach of an enterprise that has considerably more resources than you or I have at our disposal. If that organization cannot protect itself, how can we?
Every day, we hear about some new breach of an enterprise that has considerably more resources than you or I have at our disposal. If that organization cannot protect itself, how can we?
And so, we start telling ourselves little lies. We stop admitting to ourselves and to our superiors that we are not really sure what to do next. Will that internally created phishing awareness campaign actually help avoid ransomware? Will buying Proof Point’s email protection help? If so, by how much? Once you realize that you cannot possibly know what an attacker might do, how can you stand in front of the board and present your next budget?
It is ironic. We security professionals are hired to ensure that our enterprises’ data remain safe. We pledge allegiance to the sacred confidentiality, integrity, availability (CIA) triad. But the truth is, we do not know what is going to happen. Security professionals cannot know if theirs will be the next organization to be breached.
No wonder we lie to ourselves and to others. If we admit that we are not sure what to do, will we lose our jobs? Why would any enterprise pay a security professional if we do not have the answers?
In his book Think Again, author Adam Grant promotes the idea that people are better off when they do not know something.4 He says humans consistently overestimate their own abilities when they think they know something. They underestimate their abilities when they assume they do not know. We are actually in a better place when we do not know the precise answer. It forces us to think more precisely instead of just relying on feelings.
So, what are some lies we security professionals believe? What truths are we afraid to admit? Well, consider these 4:
-
We will not be hacked—It is easy for security professionals to stick our heads in the sand. There is no way to know for certain if or when an enterprise will be hacked, so why even bother? Perhaps you have never been hacked. If so, why not believe that you will never be hacked? Why would a hacker come after you and your organization anyway? What could they possibly want from little old you?
Here is the truth: The number of hacks is increasing every year. The following statistics were included in a recent report:
- 2018—29,562 breaches reported
- 2019—44,863 breaches reported (51% increase)
- 2020—67,529 breaches reported (50% increase)5
Despite larger security budgets and more effective security tools, breach numbers continue to rise. The scary part is that a significant number of attacks are now automated. It is not personal. There is not an evil hacker looking at any organization and thinking, “I am going to take them down.” Rather, it is a computer algorithm that grabs an organization’s domain name and creates a generic phishing campaign. Perhaps it crawls an enterprise’s website for email addresses, but more likely it just uses common usernames. Or perhaps it uses email addresses from the dump of some breach database from the dark web. In goes the domain; out comes the attack.
Do not believe the lie that this will not happen to you. Approximately 90% of hacks today start with a phishing email.6 It is easy, inexpensive and effective. It will happen.
- If we are hit with ransomware, our backups will save us—I spent several years as a backup administrator for a major US enterprise. The organization had top-notch equipment and several full-time, dedicated staff doing nothing but backups and my team still had issues when it came time to do full system restores. Not only did we have ever-present backup failures (for a myriad of reasons), we also struggled to get successful backups to restore when we had to do bare-metal restores (you know, the type other you will have to do if you are ever hit with ransomware).
We did hundreds of file restores every week as we served more than 100,000 clients. To the uninitiated, this might seem like ample proof that one’s backups are working as planned and will adequately provide protection in an emergency. This too is self-deception. The only way to know if your backups will offer protection after a ransomware attack is to do full, bare-metal restores of all key systems on a regular basis. No matter what the sales representative says about the backup solution, this is the only way to know the truth.
- We will go out of business if we are hacked—This is one of my favorite lies. We read the mind-blowing amounts of money that reporters tell us each breach costs and we assume that if we are breached, we will face similar costs. For most of us, those costs would be high enough to put us out of business. Security software salespeople are not any help in this area. They insinuate that if an enterprise is breached in a public way, its reputation will never recover. No one will ever trust the organization again.
But is this really true? What have you observed in the aftermath of recent high-profile breaches? Did any of the following companies go out of business after their very public breaches?:
The fact is most consumers change their habits in the short term, but once the news cycle is over, they go back to their old habits. Comptrollers will say that a drop in stock price—even if it can be directly attributed to a breach—is not “materially relevant” unless the dip lasts for 12 months or more. No organization that has had a major breach has had a stock dip last that long. It is another lie.
-
It is okay to use social media (also known as social media will not affect me)—We have all read the articles that outline how harmful social media is for children, politics, fake news, depression and anger—yet there are more Facebook users today than ever before.12 Why? Because we tell ourselves a little lie: “This won’t affect me. I understand the risk and can be careful to not succumb to the negative influence.”
The fact is, Facebook (Meta) and other social media giants have spent millions of dollars perfecting their addiction machine. They have hacked the human mind and know what to do to trap users without them ever realizing what happened. Study after study has shown this to be true.13 It is a lie to believe that this does not apply to you and me.
So, what do we security professionals do with this information about the lies we tell? We do not like to face the facts. We do not like to admit we do not know. We do not like to admit they might be wrong. Unfortunately, there is no easy answer. The fact is security is complicated. It is full of unknowns. But we do ourselves and the enterprises we serve a disservice when we ignore or deny these facts. We need to be honest with ourselves and our employers. When we admit what we do not know, we have the opportunity to explore, experiment, collaborate and yes, sometimes fail. It is counterintuitive, but it is when we are honest about our insecurities—when we are vulnerable—that other people actually respond with support. No one likes a braggart. Everyone roots for the underdog.
Remember, the key to Socrates’ philosophy was his admission of ignorance.14 It was his desire to ask questions, his willingness to be proven wrong, his interest in having conversations—with anyone, about anything. He was smart because he was humble, not conceited because he was smart.
Whether your employer realizes it or not, it is not your job to know all the right answers. It is your job to stay vigilant, to ask questions and to stay curious. The moment we believe and express the lie that we know what to do is the moment we begin to fall.
I will leave you with the words of the Buddha, “There are 2 mistakes one can make along the road to truth: not going all the way and not starting.”15 Today, I hope I got you started. I encourage you to go all the way. Discover the other areas in your life where you are not being honest with yourself. I highly recommend the books Lies We Tell Ourselves, Rebel Talent 16 and Think Again17 to help you along your journey.
Endnotes
1 Franken, A.; Lies and the Lying Liars Who Tell Them, Plume, USA, 2004
2 Reiner, Rob, dir., A Few Good Men, 1992, Columbia Pictures, Culver City, California, USA
3 Warren, C,; Lies We Tell Ourselves, Insight Publishing, USA, 2014
4 Grant, A.; Think Again: The Power of Knowing What You Don’t Know, Viking, USA, 2021
5 HackNotice, “Analyzing Over 65,000 of Data Breaches for 3 Years Shows Unfavorable Trends,” 2 February 2021
6 Data Insider, “91% Of Cyber Attacks Start With a Phishing Email: Here's How To Protect Against Phishing,” Digital Guardian, 26 July 2017
7 Popken, B.; “Target Estimates Breach Affected up to 110 Million,” NBC News, USA, 10 January 2014
8 O’Flaherty, K.; “Facebook Data Breach: Here’s What to Do Now,” Forbes, USA, 6 April 2021
9 Opm.gov, “Cybersecurity Incidents,” USA
10 Ibid.
11 Cloudentity, “The Experian Credit Score Breach: What Happened and How to Prevent Future API Data Breaches,” 3 May 2021
12 Statista Research Department, “Number of Facebook Users in the United States From 2017 to 2026,” Germany, 23 August 2021
13 Castellano, O.; “Social Media Giants Are Hacking Your Brain — This Is How,” Medium, USA, 18 December 2017
14 The-Phillosophy.com, “The Philosophy of Socrates”
15 Quotes.net
16 Gino, F.; Rebel Talent: Why It Pays to Break the Rules at Work and in Life, HarperCollins Publishers, USA, 2018
17Op cit, Grant
David Brown, CISA, CCSP, CEH, CISSP, PMP
Is a 20-year veteran in the IT world currently serving as the manager of information security at Mary Washington Healthcare in Fredericksburg, Virginia, USA.