Outside the Charlotte Convention Center, it was one of those rare February days you sometimes run into in the south: the type of day that convinces you—no matter what the groundhog predicted about winter a few days before—spring is closer than you thought.
Inside the convention center, Thornton May, futurist and keynote speaker at the SecureWorld Charlotte cybersecurity conference, reflected that hopeful optimism, despite a crowd determined to side with the groundhog’s pessimism. May asked the crowd to choose a cultural artifact—a movie, TV show, or song—that captured the essence of the state of security today. Seated in groups of six at roughly 30 round tables inside the keynote theater, each small group brainstormed.
After about a minute of chat, May bounded from group to group, like a ’90s-era talk show host, pointing his microphone into the faces of quickly conscripted spokespeople. The Art of War, Mission Impossible, and It’s the End of the World as We Know It were a few answers offered. It’s not the first time May has asked this question in front of crowds just like this one. He’s talked to a lot of info and digital security professionals, and his conclusion from these interactions is: “The state of security is dark.”
But he takes his role as a one-man cheerleading team seriously, saying, “If you want to build a future you want to live in, then you need to get real positive, real fast.”
Preparing for an unforeseeable future
May believes much of the dread and angst surrounding cybersecurity comes from security experts who convince themselves the future is out of their control.
“Many executives believe that because so much change is happening and because change is exponential that the future is unknowable. I’m telling you that’s wrong. Why? Because most technology trends are forecastable. While the future may not be knowable with decimal-point precision, it is forecastable,” he says.
In other words, you can’t know the future with complete accuracy, but you can still prepare for it. Even if you can’t be 100 percent precise in your predictions, you can map the path your business should follow when it comes to cybersecurity.
How? May posits that digital security professionals need to see the new age they’re living in for what it is first—and then recognize their role in it. He encouraged those in attendance to accept a more heroic mindset, saying, “Every age has its heroes. I believe each and every one of you are heroes of the new age.”
3 ways to become the heroes of the future
From your work life to your personal life, nothing remains untouched by digitization today. If you want to become the hero of this age, how can you navigate this digital landscape? To answer that question, May proposes three powerful ideas:
1. Get rid of security ignorance
Stop creating more security geniuses; instead, start eradicating ignorance. Think about the security breaches you’ve read about. How did they happen? Breaches are rarely—if ever—due to a security pro messing up. Usually, breaches happen due to the unprepared, the uninformed, and the uninitiated. Some otherwise well-meaning person clicked a bad link, or another blissfully unaware employee provided program credentials to a third-party vendor to make their lives easier.
As security and risk professionals, your job shouldn’t just focus on gaining more knowledge in your field. You should also spread your knowledge to company execs, colleagues, and the users most likely to be targeted by bad actors wanting access to your company’s information. Don’t tsk-tsk people who don’t know better; instead, spend your time teaching them what to look for—and how not to be a victim.
2. Remember: You’re in it together
When May raised this idea—which he learned from his mother who worked as a spy—he explained it by saying, “I don’t mean your technology network. I mean your personal network. The success of next-gen risk and security leaders will be a function of personal and professional networks. You are not alone, and you are only as strong as your personal network.” In other words, you need to make connections with other people who do what you do.
You might feel buttoned up and unwilling to share your experience out of fear you’ll reveal too much to a competitor, but you’re in the same boat as all the other cybersecurity and IT pros out there. Everyone’s fighting against the bad actors; don’t worry about how you look compared to others. If you join together to fight common enemies, the outcome will prove positive—and effective.
3. Panic is not a strategy
Too many business leaders believe a breach won’t happen to them. May echoes what so many other security experts say: The question isn’t if a breach will happen; it’s when. As security and risk professionals, part of your role is trying to make the leaders of your organization understand this fact.
May also noted, “The CISO’s job is to present the risk, explain the consequences, and lay out mitigation options and alternatives.” Once business leaders understand the risks and make clear how much risk they’re willing to tolerate, the job of a security pro is to create a plan that matches.
But a plan is not enough. “What will ruin your career is not the breach. It is the response to the breach. If you’re not with alarming and systematic regularity rehearsing what happens when the breach happens, you’re in trouble,” he warns.
Building a secure future together
May made the point during his talk that cybersecurity folks are “scary smart.” To become the heroes of this era, though, you need to get outside the old, cynical mindsets and jargon. Focus on spreading cybersecurity awareness by sharing what you know in ways that make sense to the people who rarely think about it.
May sums it up this way: “What you do is so critically important, but you have to translate that into something the business community understands.”
Want to read more about SecureWorld 2018? Dig into our continuing coverage with, “SecureWorld 2018: Prepare your cyberdefense for the unknown,” and hit “subscribe” at the top of the page for more insights from Tektonika!