The Power of Experiences
Many years ago, I had a colleague while studying Electronic Engineering at university. He was proud that he had never used a soldering iron - in four years of study.
He claimed he didn't need to, as he was looking forward to a career in consulting.
"Telling. Not doing."
But in the final hours of a group project competition, I utter the fateful words...
"Please, can you pass me that soldering iron?".
He picked up the wrong end.
At that moment, I recognised the difference between book knowledge and experience.
This incident shaped my early career.
It was not enough to learn from a book. It was essential to do.
And that's why I worked in cyber operations in those early years.
I still have scars on my hands from sharp edges in computer cases. And see the value in the emotional experience of a situation as much as the problem described with words on a page.
It's impossible to have the time to experience all critical situations organically. And that's why simulations are so helpful for learning.
They create experiences similar to those from an actual situation but without the consequences.
Over the years, I've been through media training simulations that included "tough questioning" from retired journalists. And I'm glad I didn't experience that live on air.
Similarly, clicking on a phishing simulation drives the adrenaline of - "Damn. I got caught out." without the weeks of clean-up that come from it.
And I've talked previously about the first time I thought I had been hacked.
But what about when things go wrong?
Crisis Simulations & Congressional Hearings
As a business leader, understanding what the situation will entail can be challenging.
Crisis management simulations and incident response tabletop exercises are crucial to mature cybersecurity programmes. But what if your business isn't mature enough to run these annually?
Learn from others.
And practice your responses to their situation.
On Friday, I saw a clip of a US Congressional committee questioning an executive about a data breach. It gave a fantastic insight into the intensity and type of questions asked after a breach.
Imagine you've just lost over 56,000 sets of sensitive personal data. How would you respond to these 10 questions?
- Is this a password issue with authentication on the server? What actually happened?
- How long was the server misconfigured?
- So the server was exposed starting in 2018?
- Had it changed at all in that timeframe?
- Up to how many people could potentially have been exposed then from this breach?
- Are employees required to use a quote "strong password" when creating authentication within the programs you all use?
- Is it required, or is it just encouraged?
- As a matter of company policy, do you require two-factor authentication for company passwords used by employees or contractors?
- How long has that been going on?
- Will you fire the contractor or employee who created this breach issue? Will they be fired?
Here's how Mila Kofman - the witness - responded.
On balance, I think she answered and deflected the questions reasonably well.
But I am surprised that 6 weeks after the discovery, the answers weren't based on more known facts.
...and yes, deflection and bridging are crucial to answering these questions in public.