Apart from being a great song by the Smiths, “How soon is now?” is also a question we should be asking ourselves daily.
Cyber Security does not not stand still for a second, rarely is anything settled or constant yet we continually plan improvements based on the situation remaining constant, focusing on a point in the future that simply won’t be there when we arrive.
People leave, hardware breaks, licences expire, new vulnerabilities are discovered, defender techniques become outdated and regulations change.
Of course this does not mean we should not plan or strategise, but we must recognise and understand that no plan survives contact with reality.
Procrastination is our enemy, there will never be a right time to do anything, never a perfect moment. Nothing will ever be finished, nothing will ever be complete, there is no ideal destination, there is no end.
This may sound a bit bleak, but that’s because as humans we are obsessed with destinations, getting to the end of a journey, that’s how we know to move onto the next thing.
We implement a new firewall, and do it well, is this finished? Absolutely not, rules need reviewing regularly, security fixes and updates are required, changes will be needed to facilitate new services, testing and configuration checks will lead to remediation work.
We need to stop treating our work like a race, where as soon as one finishes we move on to the next with the satisfaction coming from finishing in the expected time regardless of how we got there. Let’s treat it more like a pleasant stroll which has no expected end, and the satisfaction comes from being on the journey and what happens during the walk.
We shouldn’t aim for perfection, we should aim to make things better everyday, even if the changes seem small. By achieving little victories on a regular basis we get greater satisfaction, and shift our mindset from being continually on the losing end, and feel like we have started to tip the balance in our favour.
We need to think, yes.
Remember that anytime we say no to something, we are also actually saying yes to something else. We need to think about this every time we say no to making an improvement, or taking an action because it feels too difficult and impossible. By saying no we are saying yes to the opposite, for example “Yes, we want to delay this for a further two years which makes this task even more difficult to complete in the future”. “Yes, we want our organisation to provide inadequate protection for the data we are responsible for protecting”.
This approach requires bravery and honesty, not just from the technicians, but the entire organisation. It requires us to make mistakes, to tolerate and forgive mistakes, to admit we don’t know how something works, to admit that things are not as they are reported, that we have gaps. That technology alone is not enough, we need to balance this with process and people.
How soon is now? It’s today, this morning, this afternoon. Let’s go for a pleasant stroll, start stacking those little victories and see if we can tip the scales in our favour.
Cyber Security is easy, right?
@2codemonte 