Pratum Blog

I’m certain that at some point in your life you made a decision that caused someone to ask you this question.  “Well if Johnny jumped off a bridge would you follow him?”  It’s in our nature to compare ourselves to those around us.  We want validation, acceptance, respect.

Often people want to know how their organization’s information security posture stacks up against others in their industry, size bracket or geographic region.  I’m usually polite and give them some mild comparison while emphasizing that it’s not a competition.  What I really want to say is “Who cares!”  Who really cares what anyone else is doing?  You’re supposed to be making decisions based on the risk factors unique to your business.  If everyone else took excessive and dangerous risk would or should you?  If everyone else spent exorbitant amounts of money to secure something and it was bankrupting them would you follow suit?

Now I know there is some value to understanding the marketplace and how you fall into it.  But that’s typically not what people want to know.  They want to know if they can avoid security and still be a major player.  After asking how they compare to their peers, never once have I heard an executive tell me “That’s ok…we’re going to do it anyway because it’s the best decision for us.”  They are always looking for an excuse not to do something.

If you’re responsible for information security and IT risk management let me give you a bit of advice.  Make decisions based on your organization, its needs and its culture.  Maybe Johnny’s a bit crazy for jumping off the bridge.  Maybe he’s just too chicken and needs to live a little.  Are you going to live your life according to what Johnny’s doing?  Put your organization is a position to succeed regardless of what others think is the best way.  That’s called innovation.  Try it…you might like it!

A system administrator notices some logs are missing from a server.  There were also some strange spikes in network traffic a few hours earlier.  They tell youA spike in network traffic “Something’s not right, we may have been hacked.”  Your heart sinks and your palms get sweaty as your heart rate begins a steady increase.  “What do we do?” you ask.

Hopefully this never happens to you.  But if it did, would you be prepared?  Who would you call?  What would you say?  Where do you go for help?  Asking these questions for the first time during an emergency is not a good idea.  Having a good computer security incident response plan is critical to helping you make good decisions in times of crisis.

Think about it.  First responders such as police and fire departments, EMTs, the Red Cross and the military all have disaster response plans.  They also practice putting those plans into motion on a consistent basis so when the disaster strikes, they are ready.  They know who’s in charge and what their role in responding to the disaster is.  They know the resources they’ll need and how to access them.

Your computer security incident response plan should be no different.  There should be a well-documented plan for how your organization will respond to an information security incident.  There should be a team ready to go.  They should know their roles, what they need and how to get it.  They should have trained with the plan and be ready to execute it on a moment’s notice.

Is your team ready?  Do you know who the outside experts are should you need them?  Do you know how and when to engage law enforcement?  Creating a computer security incident response plan will answer these questions for you.  It’s better to have a plan and never need it than to be searching for answers in the midst of a crisis.

There is a common characteristic shared by many of us at Pratum.  Most of our significant others jokingly “forbid” us from talking about what we do for a living at social functions.  We’ve been told that we “scare” people or make them “nervous” or “paranoid”.  While it’s not our intent (ok sometimes it is fun to watch that one obnoxious guy at a party squirm), I have noticed this to be at least somewhat true.  Stories about what hackers can and will do to reach their end goal can be unsettling to the average non-technical party goer.

As humans we have the tendency to become afraid of that which is unknown.  What’s at the depths of the ocean?  In the heart of the jungle?  Under the bed of a 5 year old?  In the dish at the foreign restaurant down the street?  Cyber security is no different than any other unknown in life.   We fear what we don’t fully understand.

The job of a cyber-security professional should be to help educate business leaders and the general public on cyber threats without invoking fear and paranoia.  We need to distinguish between that which is possible and that which is likely.  Using the FUD (fear, uncertainty & doubt) factor to sell your theory, get funding or to simply make a point is very short sighted.  Eventually these individuals will become more educated and aware of all things security related.  If you’ve made them out to be a fool by taking advantage of their lack of understanding, you’ve failed.

My challenge to everyone this week is to make a concerted effort to sense when we may have made someone uncomfortable when speaking about security and attempt to dispel any unwarranted fears.  Paranoia cripples while awareness enables.  Be an enabler.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.