There is no better allegory for the coexistence of business and security than this modern fable:
A scorpion needed to get to the other side of the river so it hired a frog to get it there. The scorpion climbed on its back and before it even got to the river’s edge, the scorpion stung it and killed it. Another frog jumped at the chance (literally) for the vacant job, which the scorpion hired. Seconds later it stung the frog and killed it. Three more frogs showed up vying for the job. Each one dead before the scorpion got more than ankle deep in the water. More frogs showed up to take the job and as each died and sank to the scorpion’s sting, another frog showed up to carry it a little further. Soon there were no more frogs that could or would carry it and the scorpion sank, drowning in the river.
If you’re business management, you likely read that story and thought, the scorpion got screwed by its own employees. The scorpion was completely unaware that it was drowning, and needed the frogs to convince it that water can be bad. Therefore, the fault is the frog who was hired for the purpose of safe travel across the river which it failed to deliver.
If you’re working in cybersecurity then you likely read that story and thought, holy crap, I really do work for scorpions!
There are a lot of books and blogs written about how cybersecurity should learn the language of business to be taken seriously, and how we need to learn finance and risk to convince the heads of these mighty nations we call corporations. Yet, they will sink without security. So, shouldn’t they be learning the language of cybersecurity?
Don’t answer that, because… really, what’s the point? Learning the language of cybersecurity is like learning Esperanto; those who know about it will tell you you’re clueless, and those who don’t know it will ignore you anyways.
If cybersecurity was an animal, it would be a raccoon, protecting the dumpster it eats out of while thinking that washing its hands in the creek somehow makes it dignified.
Too harsh?
Security is all too often seen as the thing in the way of good profits, like how environmental protection was viewed in the 70s, 80s, 90s… well, fracking, reactor-cooling radioactive ocean water, marine vehicle fuel leaks, any kind of energy production (you really don’t think the plastic molded for your wind turbines and solar panels isn’t part of the smog?). So yeah, business is not going to learn on its own that security is a necessity in business to protect people.
This isn’t a Disney movie where some sassy kids turn the tables on big business and saves everyone’s privacy while the board gets arrested and the CEO steps in dog crap on the way home. No, this is the real world and big business doesn’t get punished, and when they do it’s a laughable fraction of profits. That’s why they do it. And why shouldn’t they?
Pay $50 million to make $50 billion. No kidding. Of course they’re going to do it then. It’s not like they’re bad at business! They’re whole thing is business! I suck at screwing over people, and even I can tell you that’s a brilliant business plan!
So basically, security is a cost center with a loss motive and no real profit incentive. Which means convincing a business manager to get more security is like trying to convince a Vegas gambler to buy a titanium safe before they hit the craps tables. No gambler is going to spend their gambling pot BEFORE they get a chance to gamble it!
As it is, business schools won’t spend time on teaching cybersecurity because there’s no need to. (Which is strange because they do focus a whole lot on all other threats to business.) And if any business schools are teaching anything cybersecurity these days, there’s still a lot of business executives who didn’t just now graduate business school.
The thing is business needs cybersecurity and cybersecurity needs business. It’s textbook co-dependence. Except business doesn’t realize it yet. Business still thinks it needs to sow its wild oats. Meanwhile security is trying like hell to make itself sexier to catch business’ attention.
Security tries to sell itself as a means of increasing profits, customers, and stock prices but every executive knows that, while true, it’s just not the best way to do it. There are better, cheaper, more efficient, and just sexier ways than security to do all those things. The security thing is just something we security people say because we want it so desperately to be true. But it’s not.
So, in a desperate, pathetic move for attention we push for compliance. We try to get the government to help us remind business that they need security. We try to get the public to demand that business pays attention to security. “Think of the children!” we cry. Yet here at the party, business is flirting through the crowd and flashing that trillion-dollar smile (that they wouldn’t still have if it wasn’t for me, says security under its breath).
Meanwhile, cybersecurity is sitting at the children’s table (child labor that is) along with the environment, animal rights, national healthcare, the ozone, climate change, personal privacy, and a few dozen other trophy spouses that business thinks should be used and not heard.
Too harsh? Maybe the party metaphor was a bit too hard of a push. But that’s exactly how it feels to me. I feel like screaming. I feel like the move to the Internet let many businesses screw people over in a whole new way because just screwing over the environment, the labor forces, and everything else got boring for it. It’s like before these businesses could only pollute our earth, our air, and our animals but now they’re polluting our identities! They are soiling who we are! For profit. And it really, really sucks.
I guess what bothers me the most about that frog and the scorpion allegory is how many frogs didn’t go to the scorpion for just a job - many probably sincerely wanted to help. I see that a lot in many fields, that they want to help support business and make life better for people.
They think that since business is life for most people, that they can use business to improve life. But you can’t really use business because scorpions.