Believing Cybersecurity Is Achievable

In the opening scene of the movie Trading Places, Eddie Murphy plays a small-time con man grifting on Wall Street until he finds himself being arrested inside a large commodities trading firm. The two owners of the company make a bet that they can turn Murphy into a successful Wall Street trader just by putting him in a suit, getting him a haircut, and giving him a job. Murphy hilariously proves them right. This happens so much in real life that psychologists have a name for it: the Pygmalion Effect.

In 1963, elementary school teacher Lenore Jacobson read an article in a science magazine that would change her life. The article, written by Harvard psychologist Robert Rosenthal, was about the effect of researchers’ expectations on their subjects in psychological experiments. In the article, he wondered if a similar self-fulfilling prophecy might be at work in the relationship between teachers and their students. Jacobson wrote to Rosenthal, and together, they agreed to conduct the experiment at her school.

At the beginning of the school year, all of her elementary school students took an IQ test. To test the theory that teachers’ expectations have an impact on student outcomes, the researchers told the teachers that some students were superstars with high IQs, while in actuality, those students had average or below-average intelligence scores. At the end of the school year, the students were tested again, and those below-average students that teachers had been deceived about all showed above-average gains in their IQ.

Similar studies have shown that the reverse is also true. When expectations are low, test scores go down.

There is an unofficial motto in the cybersecurity world: “people are the weakest link.” This motto is reinforced by a number of different statistics. Human error accounts for more than 90% of all data breaches, according to a study by IBM. I read an article recently that talked about how people are the one thing that can’t be patched. Social engineers, like Kevin Mitnick in his book The Art of Deception, are quick to point out that they are 100% successful in breaching companies … and always will be. And many people in the cybersecurity industry come from IT backgrounds that familiarize them with acronyms about how users are the problem, like PEBCAK (“problem exists between the chair and the keyboard”) or ID10T (read as “idiot”) errors.

I’ve heard a phrase that some professors use in higher education: “college would be great if we just didn’t have any students.” The trend in security seems to be to think that companies would be great if we just didn’t have any employees. Really?

Sure, humans are the ones who make the mistakes. They fall victim to social engineering. They write bad code. They misconfigure firewall settings. They click on phishing messages. They don’t patch their computers.

In 2016, there were 1,093 companies in the U.S. that reported experiencing a data breach, an all-time high. We also know that there are some breaches that haven’t been discovered yet. That’s a big, scary statistic. But we can still safely say that over 95% of companies DIDN’T get breached last year. Even at the ones that did get breached, over 95% of humans DIDN’T make the mistake that caused the breach. Even the ones that made mistakes didn’t make mistakes 100% of the time … they made a few mistakes, probably because of other pressures.

Why do we focus on failure instead of success? It’s not bad to want to learn from our mistakes. In order to prevent the next breach from happening to us, we want to get out there and stop it. But then we get a new breach, and we try and stop that. Unfortunately, this problem-centric approach looks a lot like a dog chasing its tail.

Cybersecurity leaders should act more like coaches or teachers rather than bouncers or enforcers. A coach would look at this problem and say we need to model the good behavior in order to break those bad habits that trip us up. If your coach slapped you on the hand every time you lifted a weight incorrectly, you’d just give up. Or you’d fire your coach. Instead, your coach shows you what good form looks like. He needs to break the process down into its foundations and come up with drills to improve the foundational components.

If you’re a coach, you start to look at people like players. Players are the ones you attack the problem with. They’re your partners in that objective. You don’t complain about the player who dropped a ball or made a mistake. You go back into the locker room, review the play, and make adjustments. The coach can’t run the ball across the goal himself; he needs the players to be on the field.

If you asked a coach what the strongest part of his team is, what would he say? The football? The field? The sports drink that they give the players? His game plan? Or would he say his team? As cybersecurity leaders, we need to believe in our teams. To do this, we have to flip the PEBCAK mindset and start thinking that the solution exists between the chair and the keyboard.

This lesson applies not just to how you treat your employees but also to security teams themselves. Believing that you can solve a problem can have a dramatic impact on whether you actually do solve that problem. In Trading Places, Eddie Murphy becomes part of a team of misfits with Dan Aykroyd and Jamie Lee Curtis. They don’t just need each other; they believe that they are the right team for the job. Spoiler alert: they were, and so are you.

Read George’s last article on Security Roundtable, Slow Down and Frown Your Way to Cybersecurity