Cybersecurity is not about technology
What I learned while leading product in one of the most complex industries
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Thanks for supporting Venture in Security!
I made the decision to join LimaCharlie with a lot of hesitation. At first, moving from fintech to cybersecurity sounded like an exciting opportunity (I have been interested in this field for some time). Then, I decided to do a deeper dive into this space, and the research led me into the rabbit hole of hundreds of confusing abbreviations and scary jargon.
From the outside, cybersecurity looks intimidating — everything appears to be deeply technical and product categories look incredibly complex. You can add any letter in front of “DR” and the chances are high you will hit a real product category. Or, you can put “X” in front of any two or three letters and achieve the same result. In case you are wondering, EDR, MDR, NDR, XDR, XSIEM, XDR, TDR, MXDR, and XSIAM are all real, and this is just a small part of the ever-growing list.
Having spent some time working in cybersecurity and breaking down the industry fundamentals, I no longer see it as scary as before. There is a lot to take in, but I think it’s possible to shave lots of time by understanding a few simple fundamental truths about this field. I hope this article will be useful for investors looking to get started in cybersecurity, product leaders, and industry practitioners. Let’s dive in.
Definition of cybersecurity
The confusion starts from the definition of cybersecurity itself. Here is what Wikipedia thinks about it.
And, here is how some vendors in the space define cybersecurity.
While the wording of these definitions varies slightly, what all of them have in common is the idea that cybersecurity is about protecting technology. This is, in my opinion, the most important misconception of the industry. The way I see it, cybersecurity is not about protecting technology, it is about protecting people and businesses against attacks that happen through technology.
Technology is just the medium, it is not the focus. We will look at the significance of this angle later. For now, let’s discuss why cybersecurity is so hard to understand.
What makes cybersecurity so hard to understand
The reason cybersecurity is so hard for the average person to grasp is that the layers of technology surrounding us, and therefore the layers of protection, are not immediately obvious.
When you look at the medieval castle, you can see how different layers of protection would prevent someone from entering the territory.
The same cannot be said if you simply look at the computer — it is hard to see (and even more so — to fully grasp) different components of security. Some vendors try to be creative about drawing the parallels between castle security & cybersecurity but that doesn’t make anything clearer to a regular person.
The protective capabilities of an antivirus or the importance of patching are hard to understand.
Both of these factors (cybersecurity being hard to understand and us talking about technology when trying to explain it) have contributed to the confusion I had when I first started to look into the fundamentals of the industry. I would like to now share what I learned.
Four non-obvious truths I learned while leading product in cybersecurity
I am not a cybersecurity expert, and I will never be one. However, while trying to learn what I can about the industry, I have had an opportunity to talk to many smart people in the field, and hear many great stories. Below I will summarize four non-obvious truths I learned while leading product in cybersecurity.
It’s all about people
It’s tempting to think that security is about technology, but I believe that security is about people. At this point, if you work in cybersecurity you probably think “of course, as people are the weakest link”. Surprisingly, this is not at all where this is going.
To secure an organization, you need to understand people. We, people, cannot retain random combinations in our brains so we write them down. We click on the links when something scares or excites us while being scared or excited is a result of complex chemical reactions happening inside us.
We are humans — so different and yet in many ways so similar. Guarding security involves understanding attackers (their motives, their ways of thinking, their values, etc.) and the people who can become victims (their behaviors, fears, hopes, dreams, motivators, etc.).
Security professionals need to become people-centered instead of technology-centered.
I think it’s important to keep in mind that most people are motivated to do their best work — meet deadlines, hit targets, and be productive. At the same time, they don’t see security as a part of their daily job (how often do you see cyber-secure behavior listed as a requirement in a job description?). Because security isn’t a part of the daily work, and secure behavior isn’t rewarded (getting the job done at all cost is), it is hard to expect anything different than what we have today. Cybersecurity professionals need to become evangelists of security — talking to people, listening (and actually hearing) their needs, being empathetic, and helping them to do the best work of their lives while keeping security objectives in mind.
The culture of security isn’t built by passing directives and establishing guidelines; it’s all about people, and directives aren’t how people get motivated. Security professionals need to tell stories, build emotional involvement and become engaged champions of the shared cause.
People-centered security also means finding ways to guard people against threats instead of blaming them for being, well, people. People are not “the weakest link”, they are just people. Think this way: my apartment has a balcony that is completely safe for me to drink tea. It is safe not because somebody trained me how to use a balcony and placed a sign “be careful when looking down”; it is safe because of the guardrails that keep me and billions of others from falling out.
Security professionals need to embrace the fact that it’s okay for people to make mistakes, and find ways to put the guardrails in place. Is there anything that can be made more intuitive? Is there anything that can stop a user from clicking on that link, and if it is clicked — limit the consequences?
It’s all about communication
Lack of good communication is one of the underlying challenges I have observed in the industry, and the results of it are far-reaching.
Identifying, prioritizing, and addressing cybersecurity risks is a communication, not a technical challenge. Security professionals need to build relationships with people they are trying to protect, and form an advisory center that people want to ask questions and talk to, not a scary team everyone is trying to avoid.
Lack of good communication skills makes both buyers & vendors default to abbreviations & product categories (“you need an XDR”) instead of understanding and clearly communicating the problems they are solving. Why is that a problem? For once, it can get confusing and lead to poor buying decisions as “needing an XDR” doesn’t actually communicate what problem you are solving, and therefore chances are high that once you get your XDR, the original problem will remain. Most importantly, when we start using industry jargon and abbreviations, we limit our thinking, and our ability to be creative.
At LimaCharlie, we always discuss customer problems and specific use cases, instead of arguing about the industry labels. When somebody comes with a strong statement like “I am looking for XSIEM”, we always ask — “Tell us more. What are you hoping it will do for you? What problems are you looking to solve?”. Asking these broad questions creates room to dig deeper into specific use cases and recommend the best solutions (whether they are our products or not).
It’s all about business
The primary goal of cybersecurity in any organization has nothing to do with technology. Security is about protecting the business from attacks that happen through technology to ensure that the company can continue to operate and make a profit while avoiding financial losses.
Unfortunately, this is not the mindset shared by the practitioners in the industry who look at technology first, which often causes issues. The way most cybersecurity assessments are done looks as follows:
identify technical devices & apps on the network
brainstorm a list of attack vectors (ways in which an organization can be compromised)
In order to protect business, people in charge of cybersecurity need to first understand the business, which requires learning how the company makes money, how the company works and communicates with its customers, suppliers, and partners, how people in the organization work, what behavior is incentivized and rewarded, and much more.
It would be great for security teams to go through the business model canvas and the organizational process mapping exercises with other stakeholders to collaboratively build a holistic view of business operations, before doing their technology assessments.
Root causes of cyber breaches are rarely technical, they are rooted in the ways organizations conduct their business operations. When business operations evolve, new technologies are adopted to support them, and with that new risks emerge. If you don’t understand these processes, it’s very unlikely you will be able to protect them. Therefore, security professionals must shift their mindset and attempt to understand the company they work for holistically. This requires talking to people from different departments, from customer success to sales and finance, and building relationships with these people to know what happens day-to-day and keep an eye on what’s important.
It’s important to also know the drivers of business decisions. In today’s hyper-competitive markets, to secure or hold market share, businesses need to move fast, get the product out quickly, learn from the customer feedback and adjust from there. Security is often an afterthought rather than an essential part of planning. Understanding the business environment can help security professionals make trade-offs and build a compelling case for implementing controls that make sense given the risk appetite and the state of the business.
It’s all about fundamentals
If you have a look at cybersecurity job postings, you will notice that more companies are seeking candidates who know how to use tools, than those who understand the fundamentals of cybersecurity. It’s all too common today to have an outside analyst or a security vendor guide company’s cybersecurity efforts by pitching their products as a solution to all problems.
When you break it down to the first principles, you understand that cybersecurity is not accomplished by listening to the pitches from security vendors and taking their promises of “guaranteed safety” at face value. Instead, security is built by understanding the people, the business, and the technology used in the organization, and by establishing controls and infrastructure that can be observed, tested, and enhanced. Only when you know your environment, you can design measures that address the needs of your business, instead of implementing a generic solution that the vendor sells you as “the new big thing”.
Cybersecurity isn’t all that complicated when you focus on people, empathize with them, understand their reality, expectations, and behavioral drivers, learn the business, its revenue model, and key players, break security down into the core components, and focus on communicating as much as possible. Cybersecurity can be understood by almost anyone when it’s explained in plain English, without jargon and technical abbreviations, and without the marketing magic.
Surely, this alone will not make us live in a world where there are no cyber attacks. It will, however, help us build better guardrails to protect people.
After all, in cybersecurity as in every other area of life, everything is about people.