A dose of neurological negativity is said to better prepare security practitioners for incidents, but in reality there are far more powerful defensive strategies.
A new research report assigns benefit to having a “pessimistic” mindset in cybersecurity.
It correlates professional pessimism with preparation, arguing essentially that a pessimistic CISO will be better prepared than a more optimistic colleague for anything that might happen as a result of a cyberattack.
“While most view optimism to be a healthy trait, we’re not so sure that mentality bodes well for cybersecurity professionals, and our Cyberthreat Defense Report respondents certainly agree,” the report states.
The evidence for this is attributed to seven years of asking cybersecurity professionals about the future likelihood of a successful cyberattack on their organisations.
Back in 2014, only 38.1 per cent believed a successful cyberattack in the coming year was more likely than not. That number has since nearly doubled to 75.6 per cent, and that’s still overly optimistic because a higher percentage - 86.2 per cent - actually fell victim to a successful attack.
While pessimism might pay preparation dividends on paper, it’s not convincing as a long-term strategy.
The issue is that pessimism ultimately grates. It wears people down, including the pessimist themselves as well as the people around them.
The report partially recognises this, insofar as acknowledging that optimism has benefits outside of cybersecurity, such as improved health, general wellbeing and life expectancy.
I would expect most professionals to have a keen interest in their health and this is likely shared by the organisations they work for.
To that end, I would strongly advocate recognising and breaking patterns of pessimistic thinking in cybersecurity because - put simply - there are better ways of approaching our collective challenges.
Causes for pessimism
It’s worth unpacking why security professionals might feel pessimistic about their role or the industry more generally, and for this, the Cyberthreat Defence Report provides many clues.
First, attacks just keep coming. Globally, 86 per cent of organisations experienced an attack last year, up 5.5 per cent. This is the largest increase in six years. Across Asia Pacific, 91.5 per cent of Chinese companies experienced a successful attack, 80.9 per cent in Japan, 81.6 per cent in Australia and 85.7 per cent in Singapore. Those are extraordinary numbers.
Second, defences are breached no matter how much cyber awareness training is completed or phishing tests are run. A combination of the sheer volume of attacks, increased sophistication such as the use of better social engineering techniques, and more users working remotely, mean more lapses and more breaches.
Third, assembling and upskilling security teams remains hard and expensive. The greatest skills shortages are seen in Japan where 98 per cent of companies are impacted, and Singapore with 93.9 per cent.
Fourth, in the current climate, lapses lead to extortion attempts and the extraction of ransoms. Despite consistent advice not to pay up, 57 per cent of organisations were blackmailed into paying. That encourages the gangs, and leads to more attacks. Australian organisations are the most targeted by ransomware (79.6 per cent), but organisations in Japan (56 per cent) and Singapore (57.1 per cent) are also regularly targeted.
A fifth cause for pessimism is no coordinated, high-level response to the malware and ransomware scourge, and so it remains every organisation for themselves. A higher degree of support - government, technical, professional - is clearly needed.
De-stressing security
While cyber awareness education and training has its place, the experience of the past year, in particular, shows that we need to reimagine defensive strategies and models.
Rather than trying to secure endpoints and teaching users what they should and shouldn’t click on, a better approach would be to remove and isolate that complexity away completely.
Secure Web Gateway solutions like are making ground in this space. They work by treating all web content as risky and isolating it in a remote browser in the cloud far from the endpoint. All dynamic content is stripped out, and only safe content is rendered to the users’ device.
There are also similar solutions that can manage email attachments and links, and others that can secure access to popular collaborative suites like Office 365 and G-Suite.
Use of these cloud-based IT security solutions is increasing. The Cyberthreat Defense Report found 41 per cent of security applications and services are now delivered via the cloud - a higher percentage than ever before.
What a user might or mightn’t do, despite their awareness training, shouldn’t constantly weigh on the shoulders of the CISO and security team. By mitigating user-generated risks, CISOs can dial back on the pessimism, while remaining optimistic their defensive choices are sound.
Stephanie Boo is the Vice President for Asia Pacific at Menlo Security.
Gloss