Last week, a customer related a story about Dan Miessler bemoaning how long it takes for change to happen in cybersecurity.
I had a different take - which didn't surprise my customer.
But then again, I have a different set of experiences.
In my early cybersecurity career - working in government - I was told:
"In this place, nothing will change in 2 months.
But the entire world can change in 2 years."
It sounded like Stone Age thinking.
People unwilling to make decisions.
It felt like inertia.
All businesses have inertia to change.
- A fear of losing past capital investments - social, financial or political
- A fear of the cost of investing in something new - with unproven returns
- A fear of being the first - without proven pricing or sourcing controls
- A fear of external business forces impacting your future
- And so on...
When it's mishandled, inertia kills any decision, project or progress.
I've seen companies fail - too fearful to commit to any change.
But in this case - I was wrong.
I didn't understand the situation.
Thoughts, Trends and Tails
I worked in a dynamic team.
Creating IT infrastructures in seconds - that only existed for a few minutes.
Two months felt like a lifetime.
I lived in a world where every decision was instantaneous.
The department was full of such teams.
Dozens of novel thoughts and unique approaches were created every day.
There were plenty of new transformative techniques and technologies.
That was not the issue.
The issue was... how long will a thought be relevant?
Will the thought withstand the test of time?
As you would expect - the vast majority didn't.
Thoughts were hyped with immense fanfare and failed to deliver value.
For a dynamic team - failure is expected.
On with the next thing.
For businesses, it's a different matter.
Rapidly switching from one thing to the next will cause a much bigger problem - distraction.
That's why - only when many thoughts from different IT teams coalesced into a trend was it time to pay attention and start planning.
Even then, there was no commitment to make large-scale changes.
The "entire world" only changed when trends merged, creating a seismic environmental shift that meant the old way was no longer sustainable.
Once the shift took place - 100% focus and effort were applied to changing the world.
This is the tail.
In cybersecurity, the tail is a small number of tasks that mitigate meaningful business risks.
The cybersecurity basics:
- Timely patches and updates
- EDR and antivirus
- Multi-factor authentication
- Logging and monitoring
Cybersecurity's Thoughts, Trends and Tails
Following the cybersecurity industry, you will be bombarded by the many new and novel thoughts - published without waiting to see if they can withstand the test of time and become a trend.
Rarely - a cybersecurity article will provide a helpful view of a trend that could impact your business - like ransomware.
And seemingly, no one is willing to talk about the details that matter. The bland, low-cost, well-proven mitigations that actually help protect your business.
Slower can be better for cybersecurity.