Do you recognize the difference between knowing and doing? Many times over the years in the cybersecurity business there has been a need for action. And sometimes there is the consequent action needed. But far too many times we run into a situation where an action is not taken. I talk to people every day that know what the right thing to do when it comes to cybersecurity. On the other hand, I witness far fewer people actually doing the things that need to be done.
The pattern usually goes like this. Talking with a person that is responsible for the cybersecurity of their respective organization, they will ask me about my business. When they do I like to tell stories, since stories explain something so much better than just the cold hard facts and numbers. For instance, this story right here is a good example. I proceed to tell them a story about this interesting scenario or that big attack that was in the news. Maybe I explain why it happened, with maybe a lesson or parable component to it.
Then the listener will many times tell me the answer to the parable before I get it out. They look at me with knowing eyes and a sly grin on their face acknowledging that it is so obvious what is going on with the victim and how the victim in the story could not figure this out.
It’s Not Rocket Science
I then feel a little funny at first not getting that they may have already heard the story or it was just too simple of a hack and anyone could have seen it coming a mile away, except of course the victim of the story. So what’s going on here? There are a couple of things going on. First, have you ever been told the trick behind a magicians really good magic stunt? What is the feeling you get afterward?
It is kind of a knowing feeling a letdown. It is like “that’s all there is to it?” “That was so simple.” Explaining a cyber-attack to someone after the fact is kind of like that.
Another issue is the listener is not in the situation of the victim at the time. All he has to do is dissect your story. He does not have to think on his feet, he does not have to make the security connections at the time that the victim had to do. But there is a much more important reason why people always seem to know. This is the difference between knowing and doing.
A Little Action Is Worth A Lot Of Knowing
The answer is that the person does know, and yes the victim probably knows. But neither took the requisite action to solve the problem at the time. For instance, if a person walks in the locked door behind you without the correct sign-in or using their key card we all know that is a big security violation. But on any given day it happens frequently. Because we know the person or the person is not viewed as a threat.
But if we knew that person was not supposed to come through and there would be a breach we would treat that action completely differently. We simply do not take the action necessary to keep the entrance secure in a routine situation.
This is the same with most cyber security functions. We basically know what needs to be done, it’s not terribly complicated most of the time. But we don’t take the actions necessary. We need to act in order to maintain a secure environment, And this starts with the leadership of an organization. When a company leader puts off a badly needed security purchase until next year or the next budget cycle he not only exposes the company to risk. But he sends a signal to his employees about how seriously he takes cyber security. The difference between knowing and doing will determine your cybersecurity.
As a leader in the company, he must speak with his actions not just his words. Communication is going to be necessary with his words. But his actions are going to be critical in solidifying the desired result. Remember words make people think, but action inspires people to follow.