So there’s kinda a few interesting things happening at the moment. But, actually, when you stand back far enough and squint, you can recognize that the outline is basically the same:
Over-excited FUD-slinging.
You see, fear – as you might’ve remembered me talking about once or maybe 20+ times before – is a pretty powerful and mind-altering drug—both for the purveyors of it and the recipients. And, culturally, America is well ahead of the pack in terms of stoking the fires of fear towards the “them”…
Whomever the “them” might be that conveniently happens to don the jersey.
Them could be Republicans.
Them could be Democrats.
Them could be Immigrants.
Them could be Foreigners.
Them could be Christians.
Them could be Muslims.
Them could be Atheists.
Them could be…anyone who looks different than you.
But, I think economist and regular Bloomberg contributor Noah Smith (@noahpinion on Twitter) summed it up when he said yesterday:
“I’ve sat here and watched for over a decade as American society increasingly specialized in Telling Each Other That We Suck. Now when a real threat has presented itself, we’re seeing the downsides of a society whose comparative advantage is criticism and critique.”
You might be forgiven if you thought he was talking about security people too, because that’s often the mode our security customers surely think we’re stuck in. Sometimes, we just forget that there’s a balance there somewhere, but I digress…
Right now, there’s a new person thrust in the limelight and handed the “them” jersey so they’re now be the target of all that criticism, critique, FUD-slinging, and, best of all…
…the emphatic, pompous and indignant “I told you so” of people firmly stuck in the “I’m great (and you’re not)” mindset of Tribal Leadership Level 3.
Exhibit A for today is the current security delinquent everyone loves to bash, Zoom. Now, before we get too far into this, I want to say a couple of things—actually, there’s 4 things:
Yes, they have issues.
Yes, they tried to hide those issues.
Yes, unfortunate things have happened to people using their service.
And yes, they should be doing everything they need to do to address them ASAP—for themselves as an organization, their investors and shareholders, and their customers using their free and paid offerings.
Much has already been said about the ills, follies and foibles of Zoom in the press and on social media by security professionals, and I’m not going to rehash this. However, yesterday on LinkedIn, a friend (who also happens to be a subscriber to the Security Sanity™ print newsletter) published a pretty objective rebuttal to a lot of the criticism about Zoom being the evil love-child of Satan and Tiamat out to pillage the privacy of the population and devour the very soul of our humanity.
I’m also not going to go into much detail about what he said, because I don’t want to go into a blow-by-blow on either side. Suffice to say, his whole point was nicely summed up with the observation that:
“I guarantee that if faced with the choice of their business failing—grinding to a halt, shutting up shop and laying off staff, vs. a potential risk that a well-placed actor might listen in to your humdrum project status updates, the majority would go for the [latter].”
Now, I’m going out on a bit of a limb here and giving him the benefit of the doubt because I’ve known him for years, so when he actually said “former” at the end of that sentence in his post, I think he wasn’t actually intending to say that business leaders would take sure failure of their enterprise over taking a calculated risk.
The question is…did they?
And, in this case, the “they” is everyone who’s been adopting Zoom as the go-to platform to keep connected in this time of crisis.
An example of the perfect troll chimed in to my comment on the above post this morning suggesting that I was all for giving China the keys to the kingdom and exposing school children to things they shouldn’t be forced to see. As most trolls do, he spectacularly missed the point—while simultaneously proving he was a shining example of the society Noah Smith was calling out.
Yep. Of course, that’s exactly what I meant. In fact, I can’t, for the life of me, think of why I didn’t just come out and use those exact words in my comment to eliminate the confusion and save him the trouble of having to call me out for it.
The low road to decision-making is lurching along through the “Fast Thinking” mud of fear-induced, gut reactions, complete ignorance of any individual accountability for things that happen and adopting the mantra of the Victim role on Karpman’s Drama triangle as you scream, “It’s all your fault!”
The high road is making decisions based on taking the time to gather information about the situation, evaluating the consequences using “Slow Thinking” and making a measured decision—which could still be spectacularly wrong.
However, the high road of risk-based decision making also acknowledges real accountability for any gaps or lapses in the process that resulted in the decision, and then taking action to make a new decision.
Because that’s the best thing you can do when you make a bad decision. You need to make another decision that hopefully gets you headed back in the right direction and moving closer to your objectives.
Zoom isn’t the point of this email. You can pick anyone who provides a service of any kind and the people who choose to use that service as the basis of the same conversation.
Risks are risks, and impacts are impacts.
The details are important in every case specifically, but the details aren’t important when you’re talking about the process.
Remember when Microsoft was the laughing-stock of the security world? I’d say that the net impact overall of the historic security snafus and the current fall-out for the decisions to maintain decades of backwards compatibility has been far greater than anything we’ve seen so far during this crisis.
It also doesn’t change the fact that we’re all suffering a global trauma the likes of which none of us has ever faced before, and, as Noah said in another related comment, “many people tend to cope with crises by simply doing more of what they know how to do.”
It’s a raw nerve. It’s an easy target. And we all have a lot of pent up feelings, anger, aggression, anxiety, fear, hurt and frustrations just looking for any opportunity to bubble to the surface.
Zoom is what it is…
…and so is Facebook, Google, Microsoft, Apple, Capital One, Sony, Equifax, Home Depot…
…and I’m sure you can keep going if you want. There’s potentially a really, really, really long list.
And even that list isn’t the point of this email.
The point is whether you as a security professional – and especially as a security leader – make risk-based decisions about what “secure” actually means for you, your organization and your customers given the whole context of the environment in which you operate…
…or not.
And if you’re not, is it because you’re living hit-to-hit on fear-driven paralysis that robs you of your own ability to see and think for yourself…
…or because you’d like to, but you just don’t know how to do it?
Unfortunately, I can’t really help you with the first one. There’s a lot more psychology involved than I’m qualified to tackle.
However, if you’d like to work on the second one, that’s precisely what being part of the next cohort for the 7 weeks of the Building Effective Security Architectures program will help you learn—and practice. It’s the fastest and easiest way I’ve found to do what it takes to enable you and your business customers to make truly risk-based decisions that are aligned with the best interests of achieving the organization’s objectives.
…that is if you can get past the fact that I’ve been called an imposter, “a limbo dancer” and/or “a pug,” but I’m really not sure which one he meant. You can probably just throw in “contributor to the general meltdown of society overall,” and have it covered either way.
Oh, and just a quick FYI since we’re on the subject, all of our weekly, live Q&A calls for the program will be using Zoom, so if that’s a problem for you, then I suggest you don’t sign up. I’ve made my risk-based calculation and deployed what I believe are the necessary security controls for this particular scenario, and I don’t intend to change this decision between now and the end of the cohort.
This, the “unplanned and unanticipated” cohort will kick off the week of July 6th and run through basically the end of August. If you want in, here’s the link:
And, if you register using the above link before next Sunday, April 19th, you’ll automatically save $2,000 off the regular price of the program. With that money, you and five of your colleagues could pay for an annual subscription for G Suite Enterprise and do all the Hangouts you like—or you could probably throw one helluva “Welcome back” party for the team once things settle down a bit.
Choices, choices. Always choices.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
