This contains some generally good advice. I find this is underutilized by most people:
“ A really key one is listening. Sometimes what you’re proposing really isn’t possible with the resources a department/team/company has. Sometimes what you’re proposing isn’t workable for reasons you’ve never even thought of. Sometimes what you’re proposing is just dumb in the real world. And sometimes the arguments an organisation will present against doing something won’t make sense. The key thing is you’ve listened, and you can go away and figure what to challenge, and how.”
It derives via William Gibson (who admitted he knows nothing about computers) from cybernetics, which is the science of control systems - feedback loops etc.
In modern discourse, you can always substitute "computer" for "cyber" and get a better sentence.
Pretty interesting article overall, but I was struck by this bit:
It’s also worth pointing out many companies are still early in their cyber journey
It's hard not to go "waitjustaminute" about that. Computers have been highly prevalent, if not ubiquitous, in corporate life for near on 40 years now. The first computer virus[1] is older than I am (I'll be 48 in a week). Hackers as a sort of public threat seemed to enter the public vernacular largely around the release of WarGames[2] in 1983. The Morris Worm[3] caught the public's attention in 1988. Kevin Mitnick[4] was notorious as "the world's most wanted computer hacker" by the mid 1990's. Hackers[5] came out in 1995.
There's really not much new about the need for a focus on cybersecurity, other than the specific details of newer vulnerabilities and exploits, and the general shift towards profit-motivated malicious hacking. Anybody who is "just starting" to focus on cybersecurity really hasn't been paying attention.
> Anybody who is "just starting" to focus on cybersecurity really hasn't been paying attention.
As a cybersecurity engineer: absolutely agree. Unfortunately, there is a truly stunning amount of companies that haven't been paying attention.
I'm lucky to work at a company that's been investing in cyber for years, but the stories I hear from colleagues at other companies are truly mind-blowing. There are a lot of highly respected companies out there with little to no security program in place.
I regularly saw Fortune 100 firms having domain controllers with MS08-067 unpatched in 2013. I also saw other places with pressurized Ethernet runs. I'm guessing it's still spotty depending on where you're at.
Oh yeah, no doubt. I'm not trying to suggest that the overall state of security is "good" by any means. I think we all know it isn't. I was more just making the point that if security is not where it could be, it's not really because any of this is new. We've known computer security was an issue for a very long time. Now doing something about it, well, that's a different story...
Pop culture (wargames, hackers) and popularized accounts of public events (kevin mitnick, worms, viruses, etc.) are all terrible at teaching users about cybersecurity, and in fact give them bad impressions in general. Why do you think users seem to think that security is just a matter of buying an expensive antivirus program? Or why any time their HDMI glitches out they think their PC "is hacked" but they'll gladly click on malicious emails?
I don't disagree. My point was simply that the idea of the need for what we now call "cybersecurity" isn't new, even in the zeitgeist of the public at large. Computer professionals should be even more aware and should be more familiar with the intricacies of course.
“ A really key one is listening. Sometimes what you’re proposing really isn’t possible with the resources a department/team/company has. Sometimes what you’re proposing isn’t workable for reasons you’ve never even thought of. Sometimes what you’re proposing is just dumb in the real world. And sometimes the arguments an organisation will present against doing something won’t make sense. The key thing is you’ve listened, and you can go away and figure what to challenge, and how.”