Cybersecurity professionals, by the nature of their job, are bearers of bad news. They routinely bring ‘possible risk scenarios’ to the table. They ask for resources to mitigate the possibility(sometimes remote) of something bad happening.
This is not a very pleasant thing to hear. Boards treat such individuals with disdain. They treat such people just like anyone would treat a doctor who, on a routine checkup, says - “Nothing is wrong with you yet, but if you don’t start exercising, something will go wrong”.
The messenger, therefore, is routinely killed. If you are a board member who is bored of the antics of these cybersecurity professionals, or just want some entertainment at the expense of your cybersecurity guy, here are 5 tips to help to kill the messenger.
Tip No. 1 - Agree with everything, but say there are no budgets
This is the easiest way to kill the logical cybersecurity messenger. All you have to say is - “I get your point, but right now, we cannot budget for this. Let us consider it next year.” This will really make the cybersecurity messenger die inside.
“I know that lying on this railway track can have some risks, but seriously, we do not have any budgets to move you.”
Tip No. 2 - Tell them that they are comparing apples to oranges
In this case, you diligently point out the differences between the example incident and point out how you are different - even if you are worse off than the example. Simply say - “We are different. You cannot compare them to us.” The cybersecurity messenger will want to scream and you - “We are different, but we are more vulnerable than the idiots to whom the incident happened”, but he will quietly wither away.
"Our building's made of glass and steel, not like the castle carved into that rock that fell in the last earthquake. We're different."
Tip No. 3 - Tell them - it won’t happen to us.
This is a really sneaky one. You should say things like - “.. so, what I hear you say, is that if we do not get a firewall, we will be hacked within a month? We have been in business for 3 months and nothing has ever happened. I am not sure if you have your numbers right!” The cybersecurity messenger has heard this “it won’t happen to us”, argument for so long that he has already started believing it. This will push him over the line and he will go and promptly cancel all his insurance policies.
Tip No. 4 - Ask for a technology solution where there isn’t any.
Sayings like - If you think technology can solve your problem, then you don’t understand the problem, or you don’t understand the technology - exist for a reason. They are generally ignored. You can really crack up the cybersecurity guy by asking things like - “So, people click on random links. Can you find a product that does not allow people to click on links?”. You can be sure that the cybersecurity messenger will crack up inside and die a slow, painful death.
Tip No. 5 - Tell them to train the people.
This tip is a corollary to the previous tip. Here, you just do the opposite of what you did in the previous one. You can ask the messenger to train people to behave in a certain way, knowing fully well that user behaviour is something that cybersecurity finds the most difficult thing to control. You should say - “So, you want to implement a system to monitor the attachments that people send out? I think it is an unnecessary expense. You should just conduct a training session and train the people to not send out confidential files as attachment.” To add spice to this, you can also say - “If someone is hell bent on sending out an attachment, he will send it anyway, so the best solution is training.” If the cybersecurity messenger is not dead, she will be dead after this last statement.
Have you as cybersecurity professionals faced these? How many times have you had to answer questions like these?
Have you as a meeting attendee asked these questions? What was your thinking behind it?