Stop Focusing on Black Swans When There are Known Knowns to Deal With
Security nihilism results in poor outcomes. Emphasis on "poor".
It’s easy to focus on the extreme edge outcomes. Like lightning strike, or terrorist attack.
But most people die of heart disease or diabetes or cancer, or a car crash.
The path of wisdom—that is, sane risk management—is to manage the common risks first, before you focus on the edge case risks.
In terms of health, that means quit smoking, exercise, eat healthy, wear a seat belt, etc.
As opposed to:
“I could die in a terrorist attack. Well, nothing I can do, guess I might as well start smoking and become a couch potato. Oh, and forget about wearing seatbelts. I mean, I’m going to die in a lightning strike anyway, so what’s the point?”
That seems like such an obviously insane thing to say, and yet this same logic plays out over and over in boardrooms when discussing cybersecurity.
Sure, a Black Swan risk could cause you catastrophic or existential harm, but are you doing the daily work to prevent the known known risks?
A predictable and preventable risk outcome is not a Black Swan. It’s minimum due diligence, and if you willfully refuse to perform that minimum due diligence, you are now grossly negligent.
Are you installing fire extinguishers and sprinklers in your office building? Are there fire escapes and employee fire marshalls on each floor? Do you run regular fire drills?
If you don’t, by any common sense measure you are personally to blame when an otherwise minor kitchen fire burns your entire building down, killing and maiming half of your staff in the process.
It’s about the blocking and tackling. The day-to-day hard yards. There is no magic bullet. You actually have to do the work.
Every day. Every week. Every month. All the time. As part of the normal course of business operations.
I want to distinguish this common insanity (“everything is a BLACK SWAN!!!”) with rational risk acceptance. On the one hand, a fully-informed risk understanding and risk acceptance is a legitimate business decision.
On the other hand, throwing up your hands and doing no security work at all because “BLACK SWAN!!!” is a point of view that belongs in a straightjacket.
The fancy word for this is “security nihilism.” Whatever you want to call it, it constitute neither risk management nor risk acceptance, but amounts to playing chicken against fate without a seatbelt.
No sane human being should do this, but when people who don’t understand cybersecurity get involved in the security decision-making processes, it happens all the time.
Stop the insanity. Enough with the nihilism. Like, seriously. It’s bad for business.
The difficulty of the task is not an excuse to throw your hands up in the air and do nothing at all. The difficulty of measuring quantitatively the effectiveness of defensive security is not an excuse to ignore the qualitative good advice of security professionals. The risks are manageable.
It’s OK to not understand. But pretending you know everything when you don’t, and choosing to YOLO security your business?
Not OK.