Complicated

Cybersecurity is Difficult Enough, Don’t Complicate it as Well!

I think enough people are clawing over the Equifax carcass, so I’m just going to rant about how wonderfully simple security is instead.

Actually, it’s REALLY simple, or I would not be doing it! I’m lazy, and nowhere near smart enough to do something complicated. Therefore cybersecurity consultant is the perfect fit because it’s almost entirely common sense, and it’s not me who has to do the work! 🙂

Not only that, the things that you should be doing to secure your business have been written down for generations. Literally. So anyone who still thinks it’s complicated is not asking the right people the right questions, and anyone who says it’s complicated is probably extorting their clients by making it so.

Take GDPR for example. >96% of the GDPR is related to security of processing (basically privacy), and NOT the security of the data itself. Yet the number of security companies crawling out from under their rocks to capitalise on it increases daily. Anyone who knows the first thing about security would not be fooled by these charlatans. Cybersecurity security does NOT equal privacy, which IS complicated.

So here’s the real problem: If the cybersecurity industry was doing its job, it would be SIMPLIFYING things for everyone, not making them worse! Muddying the waters just to make a few extra quid is utterly reprehensible. But the fact that organisations are ALLOWING them to do this is just plain laziness. The answers are out there.

All that said, making security simple is actually very difficult, and only good consultants have this ability. This is the same in every profession and the sign of true mastery.

Rule of thumb: If you talk to a cybersecurity consultant and afterwards you have no idea how what they do benefits your business, they are the wrong fit for you.

Besides, the only reason you are talking to a consultant in the first place is because there is some business driver (regulatory compliance, contractual obligation etc.), so you’d better know how the deliverables are going to meet the objective. Frankly, if you are not a security practitioner yourself, I can pretty much guarantee you’re asking the wrong questions.

Crap analogy. When you go to the doctor do you:

  1. Tell them exactly what’s wrong with you and what they should be doing to fix it; or
    o
  2. Tell them you don’t feel well and where it hurts?

I assume you chose 2., but if the doctor then prescribes leeches, would you seek a second opinion? Of course you would, then you’d find someone whose solution to your illness made sense, right? Someone who explained things to you, someone who told what to expect (the good and the bad), someone who made sense. Right?

So why would you hire a cybersecurity person who can’t explain, simply, what you need and why you need it? Especially when 9 times out of 10 what they are proposing is likely not what you actually asked for? e.g. You asked a consultant to make you PCI compliant when what you should have asked for is a security program that covers the PCI requirements. Very different beasties.

In 4 years running my own consulting practice I have turned down several contracts because I knew they would go pear-shaped. In each of these cases I explained what it is that I do, what the long-term benefits would be. But in each case it was clear the prospect had absolutely no idea what I was talking about. Sometime simple just doesn’t sell, but it’s the only way I will do business.

I’ve just re-read this blog and I’ve completely failed to make my point. Oh well, I’m off to the pub…

[If you liked this article, please share! Want more like it, subscribe!]