BEWARE THE CYBERSECURITY “KNOW-IT-ALL” AND 5 TIPS FOR SPOTTING THEM
Whether working in law, the c-suite, government, or at the help-desk – any cybersecurity or INFOSEC professional brandishing a “know-it-all” persona is a liability.
Cybersecurity is a constantly changing landscape. It is nearly impossible to track, understand, learn, and conquer each new threat and evolution as it occurs. Albeit having a several century-long head start, meteorologists respect the similar unpredictability of weather, which is (very generally speaking) why the public receives weather reports in percentages and on sliding scales.
Unfortunately, many cybersecurity professionals either refuse or fail to accept the basic premise that he/she does not and cannot know everything. This failure or refusal is dangerous as cybersecurity requires a constant education and re-education from uncommon sources – news, Twitter, blogs, think tanks, alerts (from ISACs, government agencies, and software providers), and seemingly low-level employees.
A 2009 Harvard Business Review article entitled “Real Business Geniuses Don’t Pretend To Know Everything” acutely depicts the problem: “Just because you’re in charge doesn’t mean you have to have all the answers. Real business geniuses don’t pretend they know everything.”
The author concludes that great leaders focus on innovation, not easily predictable matters; instead recognizing “that the most powerful ideas can come from the most unexpected places: the quiet genius buried deep inside the organization, the collective genius that surrounds the organization, the hidden genius of customers, suppliers, and other constituencies who would be eager to share what they know if only they were asked. For companies, and the CEOs at their helms, those are the smartest (and most sustainable) sources of greatness.”
3 Examples of “Know-It-All” Liability
The following examples illustrate the ramifications of “know-it-all” approaches to cybersecurity:
1. Elite CIA unit that developed hacking tools failed to secure its own systems, allowing a massive leak, an internal report found: According to a CIA internal report, “CIA has moved too slowly to put in place the safeguards that we knew were necessary given successive breaches to other U.S. Government agencies.” Perhaps the result of complacency and arrogance, the breach resulted in the biggest unauthorized disclosure of classified information in the CIA’s history, causing the agency to shut down some intelligence operations and alerting foreign adversaries to the spy agency’s techniques. This is worse than Robert Hanssen’s activities – the notorious American FBI traitor and subject of the 2007 movie, Breach.
2. 2019 Capital One Data Breach: a cyber-attack that exposed sensitive information of over 100 million Americans and approximately 6 million Canadians, who were customers of the bank from 2005-2016 (both individuals and businesses). The attacker, Paige Thompson, was a former Amazon Web Services employee, who found a misconfiguration in communications with the cloud used by Capital One’s systems and exploited it. Threatpost and others warned of this vulnerability prior to Ms. Thompson’s attack.
3. Equifax: The December 2018 House of Representatives Committee on Oversight and Government Reform Report confirmed that the credit agency failed to patch a repeatedly disclosed vulnerability in Apache Struts, a common open source web server, which the Department Homeland Security (and private websites) issued a warning months prior. Equifax was utilizing an unpatched, dated, Apache Struts server web-facing system that allowed consumers to check their credit rating from the company’s website.
5 Tips for Vetting a Cybersecurity “Know-It-All”
When interviewing or meeting with a potential managed service provider, managed security service provider, cyber lawyer, or candidate for any information security position, consider the following:
1. Ask him/her how he/she keeps up with research and changes in a field of study. If the individual specializes in cyber law, there are very few traditional resources for lawyers. Therefore, cyber lawyers have to constantly search and refresh legal databases with carefully selected search terms to check for new legislation and case law, as well as read other practitioners’ articles, check government websites for alerts, and read INFOSEC news websites. “Know-it-all” cybersecurity professionals often use these questions as an opportunity to boast about panels and conferences at which he/she has or is scheduled to speak. Speaking is the opposite of listening.
2. Be wary of any individual too quick to throw other practitioners “under the bus” or dismiss his/her abilities. Real professionals in the cybersecurity field understand that knowledge, tactics, and innovation can come from ANYWHERE and leaders in the field keep their heads “on a swivel” to constantly search for and connect with emerging and existing talent.
3. Ask security professionals what he/she focuses on, specifically. Better described in this Govtech article by Adam Stone, not all security professionals do the same type of work and specified training within the cybersecurity field is becoming increasingly important. If vetting a more senior individual, ask him/her where they began in the field and force him/her to walk you through the career progression. “Know-it-all” types often lack a logical progression and simply jump from one generic “business/vp” position to another without time served in the INFOSEC field.
4. Do not rely only on credentials. Yes, a Certified Information Systems Security Professional (CISSP) is the most globally recognized certification in the information security market and denotes commitment to the field. However, it expires after 3 years and for good reason. Ask the applicant or professional about the age of his/her certification(s) and if/when it expires. “Know-it-all” types passed the CISSP at one time, but let it expire and refuse to stay educated and trained in the field.
5. For security managers, ask about his/her software choices, specifically which software is employed for specific tasks. Some security practitioners will only use one vendor for financially-motivated reasons.