Have you ever heard the words “you don’t know what you don’t know?” It is an instructive turn of a phrase that says simply that until you get to a basic level of knowledge you cannot know the more complex items of a subject. It is about awareness of a particular subject to get you to the point of asking questions more effectively.
Once I was working with a CIO at a company and his responsibility was for all IT and cybersecurity for the company. It is a pretty big responsibility and one that should not be taken lightly. He was a good manager and had been in IT for many years. His background had been in product development, and database design. He had a great track record of success. However, his experience with cybersecurity was limited. He believed he knew what needed to happen to make the company secure but he was ill equipped to make this happen.
What He Knew
The problem was that he was from a different background and looked at cybersecurity like he looked at product development. You have a project, you have a set of goals and milestones and you move toward the execution of these milestones and goals and hit a specific deadline. But cybersecurity is not so simple. Cybersecurity requires a totally different discipline than product development. Yes it is in Information Technology, and yes it requires technical knowledge but that is where the similarities end.
Cybersecurity vs IT is a question of mindset. It is a way of looking at things. Cybersecurity requires a different set of processes totally foreign to someone who is trying to get a product developed and on the market within a certain timeframe. Security requires a mindset that says “everything is a threat and how am I going to prevent these threats.” In product development, the mindset is how will I make something that accomplishes a specific task? Cybersecurity says how will I prevent something bad from happening. And how will I do it at the earliest point possible in the business cycle? This is completely different. For cybersecurity to be truly effective it needs to be baked into the entire equation. It should be built into all of the processes from beginning to end.
What He Didn’t Know
We had a few differences of opinion on this subject until he later started having some cybersecurity attacks after spending quite a bit of money on protection. At that point, he realized that maybe he should do things a little different. In cybersecurity it is important to be proactive, not reactive. A good cybersecurity posture is looking for the threats before they occur. A good cybersecurity professional is doing reconnaissance just like the cybercriminals do so they can get in front of potential threats before they become breaches you are forced to react to.
So when I talk about knowing what you don’t know there may be a concern by corporate executives that you cannot get there from here. This is not the case. Executives need to have a baseline knowledge of what the threats are and have a mindset that is always thinking how we can get in front of any potential problems. An executive should be getting reports from his cybersecurity team on a regular basis that tells him they are doing this proactively. And the executive should be asking the hard but simple questions to ensure these functions are being done. If they do this they will then “know what they didn’t know before.”