{"id":843,"date":"2019-10-03T23:05:02","date_gmt":"2019-10-03T23:05:02","guid":{"rendered":"https:\/\/securitycurve.com\/?p=843"},"modified":"2019-10-03T23:05:02","modified_gmt":"2019-10-03T23:05:02","slug":"worried-is-a-symptom","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=843","title":{"rendered":"“Worried” is a symptom"},"content":{"rendered":"\n
\"\"
You are NOT prepared!<\/figcaption><\/figure><\/div>\n\n\n\n

So this article<\/a> was in my feed today telling me that 49% of infosec professionals aren’t able to get enough sleep because they’re up at night worrying about security issues. I’d argue it’s maybe that plus caffeine… but what do I know? <\/p>\n\n\n\n

Anyway, from the article: <\/p>\n\n\n\n

Against the backdrop of an increasingly complex and fast-moving threat landscape, infosec professionals are acutely aware of the risks their organizations face. Almost half (49%) report that they are kept awake at night worrying about their organization\u2019s cybersecurity.<\/p>https:\/\/www.helpnetsecurity.com\/2019\/10\/02\/organization-cybersecurity-readiness\/<\/a><\/cite><\/blockquote>\n\n\n\n

If I’m honest, I find this a little disturbing. Why? Because I’ve said this in the past, but to me, worrying is a symptom of something else. It implies either a fundamental lack of preparedness or a lack of understanding of the risk environment. That might sound harsh – particularly if you’re one of the folks up worrying – but remember that Gordon Grecko line from Wall Street (the movie) about how “greed is good”? Well, I “worry” (in my opinion) has a function – namely, to alert you that something is wrong. It’s good. Listen to it. And, when it strikes, that’s a good cue to take action. <\/p>\n\n\n\n

I’ll give you some examples of what I mean. First example: I don’t spend a lot of time worrying that a meteor will come and fall on me during the day. Why not? First, the risk is low. Second, I can’t do anything about it anyway. How do you prepare for that? You can’t. The chances of a meteor falling on me or not is a probabilistic function that I have no control over. So I don’t worry about it because it’s out of my hands. <\/p>\n\n\n\n

Another example? I don’t spend much time awake worrying that gasoline stored in the garage (for power tools and such) will catch fire and burn the house down around me. Why not? Because it’s inside a gasoline storage cabinet that is specifically designed to minimize the likelihood of that happening. In this case, there’s a risk (again a probabilistic function), but I’ve evaluated it, implemented countermeasures to the best of my ability, and the end result (the residual risk) is out of my hands. <\/p>\n\n\n\n

Here’s my point. If you’re worried about getting hax0red or whatever, that’s OK (in fact that’s great)… but it shouldn’t be a chronic condition. The good news is you’re taking your job seriously. The bad news is that the worry you’re feeling is a warning sign that something is wrong and is begging for action. In that case, one of three things is true:<\/p>\n\n\n\n