Nobody Cares About Cybersecurity. Why Should You?
Every day, part of my job as President & CEO of The Penn Group is convincing executives that they should quit…pour money into an extremely complicated subject with little to no tangible return on the investment. I’m not talking about marketing. I’m talking about information security. Nobody with half a brain would spend hundreds of thousands of dollars without extensive business justification. Again and again I, along with other security professionals, have taken the nobel challenge on in a desperate attempt to convince very intelligent people that they should act on something that is elusive. Cybersecurity is frankly tough to understand. As a result, I’ve come to the conclusion or delusion that in the end, nobody really cares about security.
Why Should You?
In a board meeting last week, I was going through the usual company performance metrics and discussing problems and opportunities. During the presentation, I had the opportunity to articulate the need for security in a bit of a different light. Most within the security industry have turned to the fear factor of the existential boogieman that is cybercriminals to persuade the populous to come clean and admit security is important. I’ve always had a problem with this approach, because it further entrenches the negative stigma of security deeper into the culture of the organization. I’m not innocent from this approach though. Sometimes, you have to face the hard facts, and security is a real challenge that has to be invested in. Instead of quoting the usual statistics about how a company is literally screwed if a criminal gets in, I opted to tell a few stories of real people who had their lives upended by organizations with poor security.
What gets left out of most news stories are the real people who have their identities stolen and cannot buy a house. Or people who get doxed and have their privacy subverted. What about the people who are spied on constantly by companies who collect endless information from our own devices with or without our consent? What about the single mother who has her bank account drained by cybercriminals in Russia because Johnny Taco had crappy security and had malware on their POS system. These aren’t worthless statistics that overgeneralize breaches. These are real stories of real people.
Sex Up Security
Security teams are usually viewed through a critical eye. Security is viewed as the police of the organization, just waiting to get their hands on the next guilty criminal who is breaking the information security policy. I’ve worked with organizations who have struggled with the divide between security and operations that was so deep, the security team would randomly disable production equipment that violated security policy, just to get the point across. This isn’t a good look for either side, but it speaks to the desperation that those who work in this industry experience. When was the last time you heard about something sexy related to information security? Probably…never.
But Really, Why Should You?
If you’re still reading this, you probably haven’t been convinced that you should pay attention to security. Here is the real kicker: nobody cares about security, and that is actually a good thing. This gap in expectation affords the opportunity for real change within an incredibly fluid industry. We, as security professionals, actually have the opportunity to use our talents and giftings to make a real impact within our world.
The reality is, cybersecurity actually matters a whole lot. We get to tell the story as to why it matters. You should care about information security because if you don’t, then few else will. Those who understand the deep complexities of security have a duty to raise up the next generation of security leaders who can change the tide of a very insecure computing landscape.
Why?
Here is what it boils down to: If organizations do not pay attention to security, real people will continue to be harmed. Everything from your debit card to your identity are on the line. Beyond just you, is everyone else that have entrusted an organization with their data is also at risk. Our nation’s security is also at risk. In today’s digitalized society, now more than ever, information security must be at the forefront of our minds as we make critical decisions. Information security may not be sexy, but it is our job as security professionals to make it so. We get to tell the story, and convince real people that we have their backs. In the continual cat and mouse game with criminals, it is up to us to keep real people safe and organizations out of the news.
Austin Harman is the President & CEO of The Penn Group. He currently holds the coveted CISSP certification, in conjunction with the CCSP, CAP, and Security+ certifications from ISC2 and CompTIA respectively. He resides in Columbus, Ohio.
