How to
Ryan Berg
Sep 2015

Security Needs Fewer Hecklers and More Cheerleaders

Photo by Source

Cybersecurity needs fewer hecklers and more cheerleaders

Everytime I hear about another data breach I brace myself for it — the inevitable knee-jerk reaction from the security community. Equal parts schadenfreude and self-righteous “I told you so,” so much of the commentary plays like a broken record — predictable, repetitive, and ultimately taking us right back around to where we started without saying anything new.

It can be tempting to hop in line to cast blame and point fingers, but whenever I see that happening I think of my daughter, instead. Specifically, I think about going to watch her play basketball, and how one play during a high-pressure game changed the way I think about mistakes, and, more importantly, how we respond to them.

My daughter was playing in a tournament at Fordham University against the well-regarded Gauchos. It was the last game of the day and we knew it was going to be a really aggressive and tough match-up.

I would usually find a quiet spot near one end of the court and simply enjoy the game, but this was a big tournament against a really good team and things got a little heated amongst the fans (like that never happens in youth sports). My daughter was wide open on the wing right in front of me, and being a natural lefty shooter, was sure to drain a much-needed three pointer.

Unfortunately, when her teammate threw a pass to her, the ball went right through her hands. I couldn’t believe it. Without even thinking, I yelled, “Catch the ball first!”

The players stopped. The gym fell silent. People stared at me. I was mortified.

I had been so emotionally wrapped up in watching her play that when she missed the pass my initial reaction was, “How could you not catch the ball?” But she knew she missed, everybody watching the game knew she missed it. She didn’t need me to tell her that. In fact, that was the last thing she needed, especially when I did it in such a way that drew more attention to it and made her feel like she did something wrong.

This kind of thing happens in security all the time. Companies “miss the ball.” They get hacked and our reaction is to ridicule them for it, even though we all know that when it comes to hacking, the deck is stacked against us.

We are going to miss a pass every now and then. We know calling out those misses is fundamentally not helpful, and yet we often do it, anyway.  

I learned a lot from that moment in the stands and seeing the response to my reaction. On the way home, I decided I was going to stop coaching from the sidelines and stop being a Monday morning quarterback. From then on, I was going to be a cheerleader, instead.

3 Keys to More Constructive Data Breach Responses

We need more cheerleaders in security. People who are rooting for us not just when we’re winning but when we’re making those inevitable mistakes, too. That’s the kind of mindset that is going to help us gain the traction we need to learn and improve more quickly.

Here are three initial steps we can all take to become better cheerleaders when it comes to cybersecurity:

  1. Acknowledge that breaches can happen to anyone (there are a lot of glass houses and no shortage of stones).

    This is not an acceptance of defeat or argument that ignorance is bliss. It’s an acknowledgement that security is a journey and not a destination. We can learn more by direct acceptance and collaborative discourse than we can by taking pleasure in someone else’s mistakes and simply being glad it wasn’t us.

  2. Offer guidance, not judgments.

    Guidance often requires more listening than talking. Security “advice” often boils down to “everything must be a nail because my company is selling hammers.” This ignores the more important part of providing guidance — the part that requires two-way communication and must first start with listening and understanding before preaching and directing.

  3. Turn the focus to applying lessons learned. 

    Failure can be a harsh but effective teacher. That said, can you imagine how much more effective it could be if we knew there was a supportive community rather than a walk of shame waiting for us on the other side? The sooner we can help each other pick up the pieces and plot practical paths forward, the sooner the real work can begin.

Great things can happen when we feel like we're being cheered for. Unfortunately, in security, it's easy to get stuck in a mindset where all our focus is on fearing potential backlashes and trying not to screw up. That's not playing to win, that's playing not to lose. 

Photo by sweis78

Ryan Berg

Ryan Berg

Ryan is Chief Scientist at Barkly. He holds multiple patents and is a popular speaker, instructor, and author in the fields of security, risk management, and secure application development.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.