I was chatting with a chief information security officer (CISO) recently, and we started talking about motivation and the role of love and hate in driving ourselves towards our goals. In cybersecurity, we tend to think about external opponents, most notably white hats vs. black hats, but rarely discuss the internal factors that guide our day-to-day decisions.
Humans are dynamic beings that aren’t driven solely by love or hate (despite what the chatter on social media may have you believe). We do, however, have predilections based on our personalities and environment. How we choose to deal with those influences shapes who we become. A good strategy is a combination of love and hate where organizations work towards a grand vision of their future while eliminating things they hate one after the other.
The craft of cybersecurity
Leaders in general, and CISOs in particular, are sometimes in love with their vision. Typically this is an idealistic view of the world in the future. In many cases this drives long term progress, innovation and sets far ahead goals.
Cybersecurity leaders driven by love are the craftsmen of our industry. They view their job as a calling that brings meaning and fulfillment to their lives. Generally, these dedicated workers believe they have a deep understanding of how the world works and where they fit into it. When working from a place of love, security pros relish security fundamentals, best practices, and peer feedback to create a strong security posture.
In cybersecurity, an example of a love-based initiative is the zero trust model. Zero trust security means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network.
As everyone knows, the only constant in cybersecurity is change, which can be a problem for security leaders. Too often, love drives us to hold onto what’s worked in the past for too long. Or it keeps us blind to small issues until they become full-fledged problems. Love keeps us focused on fixing the process, strategy, or tool that is currently malfunctioning and doesn’t drive us to take the time to evaluate whether a better solution is available. For instance, businesses often spend significant man hours and resources evaluating, buying, and implementing traditional firewalls to protect their organizations, but don’t actually evaluate whether the technology is delivering ROI. Good cybersecurity leaders are highly adaptable and routinely challenge their own assumptions. Security leaders that only execute on love initiatives and drive towards the future with no regard for present limitations inevitably fail.
Focus on cybercriminals: Sound strategy or distraction?
Cybersecurity is a pressure-packed industry where the stakes are incredibly high. Data breaches not only cost security leaders their jobs, they also make organizations vulnerable to fines, lawsuits, and other long-term negative effects. This breeds hate – for the attacker. Security pros driven by hate are externally focused, so they are busy educating themselves on new malware, social engineering, and other tactics cybercriminals use to victimize businesses.
The media and threat researchers discover new botnets, techniques, and vulnerabilities every day so playing cat-and-mouse with cybercriminals is a huge undertaking for any business. Rather than focusing on their organizations’ security needs, hate causes security pros to spend resources on issues their organization may or may not face. All security leaders have a healthy amount of paranoia but frequently adjusting an organization’s security posture can cause inefficiencies and distractions within the organization. Security leaders that only work on fixing the things they hate now won’t get very far; instead, they will only optimize the existing state.
The Tao of Tesla
Love and hate create a push-pull effect if used correctly by cybersecurity professionals. Someone that I’ve seen harness this dynamic effectively is, ironically, someone not necessarily known for his equilibrium.
Elon Musk is a celebrated serial entrepreneur and founder of, among others, SpaceX. Elon Musk loves the vision of humans becoming an interplanetary species and believes we need to colonize Mars. However, he hates the cost of launching rockets and satellites into Earth’s orbit. Space missions cost billions of dollars and leave significant amounts of trash in the stratosphere. Musk’s hatred of these problems led him to build his reusable ‘Falcon’ rockets that solved both of these issues. By building the cheapest and most effective method of launching vehicles into Earth’s orbit, he can now fund the development of his Star Hopper project that will get his company to Mars. Like Musk, CISOs need to fix the things they hate that are slowing them down now while aiming towards the vision they love.
Security leaders naturally lean towards love or hate. The key to balance is recognizing which category their actions are guided by and make the necessary adjustments. Don’t know which one you fall into? Take a look at where you and your team are spending their time and resources. If the bulk of the organization’s budget is allocated to maintaining the current state of security operations, that indicates a love-based approach. Corporate security strategies that consistently expand to protect against new threats may show that leadership is geared towards hate.
As stated previously, love and hate are not inherently bad by themselves. It’s when a person leans too hard into one or the other that problems can arise. Optimism and cynicism are two sides of the same coin in cybersecurity so balance is critical for security professionals looking for fulfillment and career advancement.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.
