In the current controversies involving what our intelligence community is collecting about its citizens, the issue has frequently been framed as a balance of protecting the personal safety of people versus protecting one’s privacy. While delving deeper may reveal a false dichotomy, we nonetheless must acknowledge that such tradeoffs do exist. At the very least, we’ve come to expect and accept some degree of inconvenience when flying, entering government buildings, or attending certain large events. Similarly, we are rarely troubled when we notice closed circuit cameras in parking garages, along highways, and in stores. In fact, we may feel safer with their presence. However, in all cases, their existence can change our behavior. We may be reluctant to engage in perfectly legal behavior that may be misinterpreted or simply cause us embarrassment. That’s a tradeoff we’re making, but do we actually acknowledge how we’re diminishing the value of certain activities and assets when performing these tradeoffs? On a case by case basis, that reduction in value is barely detectable, but in the aggregate, does it matter more? Moreover, decision makers rarely take action based on a balanced review of the costs and benefits. Instead, it may be motivated by an event that, while rare, causes all the focus to be on one side of the argument. We’ve seen this with terrorist attacks and mass shootings. Humans are overcome with emotion and make decisions they would not normally make.
However, this propensity for knee jerk reactions is not new, and we must acknowledge it will happen from time to time. What is new is the heightened focus that cybersecurity has received over the last few years, particularly surrounding critical infrastructure. This has become a board level issue, with senior management frequently wanting to take bold action. For businesses, this can be a dangerous proposition as such actions can have a profound impact on their operation. A simple antidote to a possible overreaction is to step back and calmly evaluate the business value of the functions impacted. For example, it may be considered risky to access network services remotely. An executive could argue that such services are a perk for folks who don’t want to come into the office without realizing that this is a crucial function for the sales team while on travel to provide customers with up-to-date information on their accounts and online demonstrations of new product offerings. Business partners may also need access to the network. Moreover, even that supposed “perk” for people working from home could be the trigger that causes several top-performing employees to leave the company when they must commute in daily to do a job they’ve been doing successfully from home. If not presented to management correctly, our attempts to highlight risks could end up doing more damage than good.
For years, cybersecurity professionals have been the proverbial voice crying out in the wilderness, hoping that someone in the executive suites will listen. Thanks to media attention and government action, we may now have that chance. But we need to be careful what we wish for. Executives subjected to unhealthy doses of fear, uncertainty, and doubt are not always receptive to a measured response to something they know little about. Nonetheless, we are the ones likely to get the blame for the consequences of any overreaction, so we must be prepared with a well-thought-out strategy that is both bold and appropriately targeted. This could be our finest hour. Let’s not blow it.