I just returned from a large trade show (it doesn’t matter which industry this was, this applies to almost all of them), and was struck by what Douglas Adams, author of The Hitchhiker’s Guide to the Galaxy, refers to as S.E.P. or “Somebody Else’s Problem”.
In Mr. Adams’ series of classic and sardonic stories he refers to alien technology that can generate an “S.E.P. field” around objects. This field imparts to the viewer the perception that whatever the field is surrounding is somebody else’s problem, and thus our brain doesn’t let us see it. Basically, the field taps into the human tendency to develop mental blind spots.
The Somebody Else's Problem field... relies on people's natural predisposition not to see anything they don't want to, weren't expecting, or can't explain. If Effrafax had painted the mountain pink and erected a cheap and simple Somebody Else’s Problem field on it, then people would have walked past the mountain, round it, even over it, and simply never have noticed that the thing was there.
So, what does a trade show and S.E.P. fields have to do with each other? Well, there were hundreds of booths displaying their wares. Many promoted connected electronics, both for instrumentation and control of incredibly expensive pieces of equipment. And out of that large collection of products I found a grand total of 1 booth that actually mentioned cybersecurity!
Clearly an S.E.P. field has been erected around the topic of hacking for this industry.
It’s not as if they’re not at risk: in fact they are at a very high level of risk. As an industry they have taken precautions against physical threats, such as hiring men with guns! But as a group they seemed unaware of hacking attacks in other industries. That is a pretty strong S.E.P field they have going on.
Many decades ago I remember watching an excellent TV series called “The Constitution: That Delicate Balance” (https://en.wikipedia.org/wiki/The_Constitution:_That_Delicate_Balance). As I recall, a former Secretary of State who asserted that when a crisis occurs the government has a window of 36 to 48 hours to “respond” to that crisis, during which the public will go along with whatever response the government chooses to use! After that, the public will start to question and evaluate the pros and cons of the response (despite lacking critical insight into the situation), and thus limit what can be done. The show summarized this as, “Don’t let a good crisis go to waste.”
I have observed a similar effect in the world of InfoSec. When the company/industry that was standing on an S.E.P.-shielded ‘pink mountain’ suddenly has its S.E.P. ‘protections’ ripped away by an attack, there is a huge backlash of fear, uncertainty, and doubt; gnashing of teeth; pointless meetings; and persecution of the innocent. Coming down off the S.E.P. field can be a painful event.
This is when a window of opportunity opens for the prepared InfoSec professional. For a brief period of time, you can make a case for positive change unencumbered by the usual S.E.P.-like effects.
Don't let this opportunity go to waste. Have previously prepared plans (including budgets) to take your company into a more secure standing. Communicate with organizations and managers to justify the hard choices that will secure the domain for years or even decades to come. You may not get a second chance!
Let me leave you with one final quote, this time from the late Andy Grove, former CEO of Intel:
Success breeds complacency. Complacency breeds failure. Only the paranoid survive.