On inevitable breaches and how customers feel

Welcome to the new 138 cyber warriors who joined us last week. 🥳 Thanks for subscribing!

We drop weekly insights and perspective-shifting ideas from the Black Hat MEA community right into your inbox. Including exclusive interviews and key moments from the #BHMEA22 keynote stage. Subscribe now

🌟This week we’re focused on…

Inevitability.

We interviewed upcoming Black Hat MEA speaker Makesh Chandramohan (CISO at Aditya Birla Capital) and he said:

“Believe in the statement: Breach is inevitable.”

Do you believe?🙄

To those outside of the industry, it might seem that the point of cybersecurity is to prevent breaches from happening. To keep everyone’s data and money locked up safe, and ensure that nothing bad can ever happen.

But the reality is that it’s not possible to do that. There’s no security system in existence that can prevent 100% of threat activity from penetrating a network.

Back in 2018, a survey by Kaspersky Lab found that 86% of 250 top security professionals agree with Chandramohan. They believe security breaches are, indeed, inevitable.

Every company in the world is running happily towards a hack, all the time. Because the attack surface is too big to identify, locate, and patch every vulnerability before it lets someone in.

But…we all know this. You know this. You probably tell your clients all the time that breaches are inevitable, and that what really matters is how prepared you are to respond to them, to contain the threat, and to recover.

So why are we hammering this point home? 🤫

Because of the psychological impact of inevitability

Here’s a thing: believing that something is inevitable has a psychological effect.

It’s OK for cybersecurity professionals to believe it’s impossible to prevent a breach. Because that won’t stop you from doing your job. You understand the problem, you understand the consequences, and you know how to manage risk.

But for customers – client companies and users who aren’t trained in cybersecurity – the psychological impact of being told, again and again, that a breach is inevitable could cause more vulnerabilities.

💡 Believing in the inevitable creates freedom

Think of it this way:

When someone is diagnosed with a terminal illness and goes to a therapist for support, the therapist might work with them to recognise the inevitability of death for everyone. They might be facing death sooner than the people around them, but everyone will die.

And when that person begins to internalise this, and really embody that understanding that death is inevitable, it gives them a new sense of freedom.

They might stop worrying about things they’ve always worried about. They might start enjoying the wonder and chaos of life more fully. They might let go of some of their risk-averse, cautious habits – because death is coming, so life must be for living.

This is a positive outcome of believing in inevitability.

And in business psychology, inevitability can have a similar (positive) effect. This article published by Psychology Today explains how embracing the inevitability of failure allows you to be more creative – because you’re going to fail anyway, so you might as well have fun and express yourself while doing it.

But what about in cybersecurity?

In cybersecurity, however, if people believe that a breach is inevitable, then the sense of freedom that comes from that could be damaging.

A user (an employee in a company, for example) might think: They’ve told me a breach is going to happen no matter what I do. So what does it matter if this one time, while I’m in a rush, I don’t follow the company’s security guidance?

It makes perfect sense for cybersecurity teams to prepare clients for the likelihood of breaches. To tell a customer that you can make them 100% secure 100% of the time would be a lie – and it’d leave you vulnerable to blame and backlash when that breach did occur.

And for people working in cybersecurity we absolutely agree with Chandramohan. Breaches are inevitable, so our efforts to minimise them and build response strategies should be built on that belief.

But maybe, when it comes to effective communication with the people who interact with a network on a daily basis, that word – inevitable – would be better left out of the conversation. As a community, we can find more empowering ways to explain that breaches are likely; but that everyone has a role to play in guarding against them.
Read our interview with Makesh Chandramohan: Is cybersecurity the same across industries?

How do you communicate to clients or coworkers about the likelihood of breaches?

1. I usually use the term "inevitable" 👨‍💻 vote

2. I usually use secret terms 😉 vote

Do you have an idea for a topic you'd like us to cover? We're eager to hear it! Drop us a message and share your thoughts. Our next newsletter is scheduled for 28 June 2023.

Catch you next week,
Steve Durning
Exhibition Director

P.S. - Mark your calendars for the return of Black Hat MEA from 📅 14 - 16 November 2023. Want to be a part of the action?