You are NOT prepared!

So this article was in my feed today telling me that 49% of infosec professionals aren’t able to get enough sleep because they’re up at night worrying about security issues. I’d argue it’s maybe that plus caffeine… but what do I know?

Anyway, from the article:

Against the backdrop of an increasingly complex and fast-moving threat landscape, infosec professionals are acutely aware of the risks their organizations face. Almost half (49%) report that they are kept awake at night worrying about their organization’s cybersecurity.

If I’m honest, I find this a little disturbing. Why? Because I’ve said this in the past, but to me, worrying is a symptom of something else. It implies either a fundamental lack of preparedness or a lack of understanding of the risk environment. That might sound harsh – particularly if you’re one of the folks up worrying – but remember that Gordon Grecko line from Wall Street (the movie) about how “greed is good”? Well, I “worry” (in my opinion) has a function – namely, to alert you that something is wrong. It’s good. Listen to it. And, when it strikes, that’s a good cue to take action.

I’ll give you some examples of what I mean. First example: I don’t spend a lot of time worrying that a meteor will come and fall on me during the day. Why not? First, the risk is low. Second, I can’t do anything about it anyway. How do you prepare for that? You can’t. The chances of a meteor falling on me or not is a probabilistic function that I have no control over. So I don’t worry about it because it’s out of my hands.

Another example? I don’t spend much time awake worrying that gasoline stored in the garage (for power tools and such) will catch fire and burn the house down around me. Why not? Because it’s inside a gasoline storage cabinet that is specifically designed to minimize the likelihood of that happening. In this case, there’s a risk (again a probabilistic function), but I’ve evaluated it, implemented countermeasures to the best of my ability, and the end result (the residual risk) is out of my hands.

Here’s my point. If you’re worried about getting hax0red or whatever, that’s OK (in fact that’s great)… but it shouldn’t be a chronic condition. The good news is you’re taking your job seriously. The bad news is that the worry you’re feeling is a warning sign that something is wrong and is begging for action. In that case, one of three things is true:

  • The risk is unknown – There’s risk, but you don’t know what it is. This is naturally concerning, but it points to a need to better understand the risk.
  • The risk is known, but insufficiently mitigated – You understand the risk but can’t do anything to mitigate it. This ideally is a transitional period, existing only until you can close the open issue and live with the residual risk.
  • The risk is known and controlled to acceptable limits, but you’re worried about it anyway – This is like worrying about getting hit by a meteor. What can you do? If it happens, it happens — and there was nothing you could have done differently. This is like when I get to the office in the morning and I worry I left the stove on. It sucks when it happens, but the worry isn’t productive or helpful. In this case, the best course is to just stop worrying about it so I can be vigilant for other stuff that I really should be worried about.

Anyway, just my two cents. I apologize if this seems like I’m “blaming the victim”, but I felt strongly that the fact that there was so much worry out there is really not a good thing.