by VM
When you ask yourself: what is the most important thing in your job? If your response is anything other than your own mental wellbeing, we need to talk.
With everything that’s going on in the world, we have a gazillion excuses to panic. If we let every single event get to our heads, we won’t have any more space for the things that actually matter. Health, family, friends, the thing you actually like doing, your passion, that nice project you were working on with your cool colleagues, etc…
So, what have we seen these past few months? What do we need to talk about?
Here’s a list of events in the past 4 months:
- Log4j (yeah, we all remember this one, don’t we?)
- T-mobile hack
- The pandemic that’s still going on
- Russian/Ukrainian cyberwarfare
- Nvidia blackmailed
- Microsoft vulnerability
- Vodafone hack
- Lapsus$
- Russian companies targeted
- DDoS in Israel
- Snatch
- Ubisoft hack
- And more…
That list is already huge, and it doesn’t seem to end. It can be pretty overwhelming for us whose work revolves around these events, and especially for security leadership. What do you do when all of this messed up stuff is happening around you? Well, for one, don’t panic!
When something happens (because it always does), here’s what we ask of you: take a deep breath. Just one deep breath, hold it for 4 seconds, and let it out slowly. This technique helps you return to yourself and be in the here and now. And now, ask yourself this one question:
How bad is it, really?
Don’t drift away towards scenarios that have 0.0000001% chance of happening. Stay in the moment, with you and yourself, because you honestly don’t have the time or energy to think about all the possible ways things could go wrong. Focus on what matters. If you know your company, your systems, the attack surface, you can start thinking rationally. How bad is it for you (or your company) right now?
Does the vulnerability affect Java applications?
You don’t use any? Then don’t care! Thank you, next.
Are the hackers targeting Windows?
You have a MacBook and your company is GCP-cloud-native? Move on! Thank you, next.
Are bots trying to hack into your employees’ accounts using credential stuffing attacks?
Did you enforce 2FA company-wide? Thank you, next.
Fear, Uncertainty, and Doubt make up the trinity of destructive emotions that only lead us down a path of darkness. To quote one of the greatest minds of fictional history:
“Fear is the path to the dark side. Fear leads to anger. Anger leads to hate. Hate leads to suffering.”
Master Yoda
Sure, things might change. And sure, maybe you’re not seeing something, but you can’t do anything about that. Those hackers might decide one day to target GCP or AWS. And yes, maybe they’ll uncover some clever way to use vulnerabilities that don’t necessarily concern you and/or impact you against you. But what matters right now, in the here and now?
We can think of tens of thousands of doomsday scenarios, we can write hundreds of books about them (and it’s been done), but honey, you don’t have time for that. You neither have the strength or energy to worry about all these things, none of us do. Hackers will always be there. Whatever’s reachable from the Internet will always and constantly be targeted by bots, script kiddies, other kinds of humans. New threat actor groups will rise and yes, one day, maybe one will affect your company. Data and password leaks are like pollen season. They are recurring and they suck for those impacted.
So that’s what we’re really talking about here, and I’m surprised the word hasn’t surfaced yet. This is all about risk, a.k.a. threat modeling, a.k.a. how screwed are you? Risk-based thinking helps you set your priorities straight and focus on what truly matters. In this everchanging, rapid-paced cyber world, squirreling down rabbit holes is like an addictive drug. It won’t help your company “get more secure”, and it won’t help you and your (mental) health.
Whenever something happens, promise us that you won’t go down that rabbit hole again if your risk is 0.0000001%. Here’s what you will do: assess. Talk to your experts (or be the expert) and measure rationally and effectively how screwed you are. And you need to be efficient, because life goes on, and it won’t wait for you to catch up with it.
WICCA 