News & Commentary

6/27/2018
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Cynicism in Cybersecurity: Confessions of a Recovering Cynic

Anyone constantly dealing with complex computer systems teetering on the brink of disaster will likely succumb to the cult of cynicism. These four strategies will help you focus on the positive.

Cynics fall into the same category as Marines (if you're feeling charitable) and cheaters (if you're not) in that there's no such thing as an ex-cynic. But I'm doing my best: I'm a recovering cynic.

When I refer to cynicism, I'm not talking about the ancient Greeks. I'm using the modern definition, which I take as immediately assuming the worst of people or situations. Almost anyone who's been in computer security for any time succumbs to the cult of cynicism. We deal with complex systems teetering on the brink of disaster. We operate in an unceasingly chaotic environment. And often, it seems like organizations fail to implement even the simplest mitigations. It's easy to become jaded.

It's also easy to declare "Everything is trash." But everything's not trash. Things work, most of the time. That's not to say we couldn't do better, or it doesn't take effort to keep things working, or a random bit flip couldn't cascade into a disaster. (Curse you, cosmic rays!) My real point, though, is even if things were all trash, being cynical is not productive.

Cynicism is incapacitating. It allows you to absolve yourself of the problem. After all, why bother to help someone if they're just going to get themselves right back into trouble by being terrible? Why fix a system if it's irredeemable? How committed can you be to solving a problem if deep down inside you think the situation is hopeless?

Cynicism is contagious. One person on your team has it, then another, and before you know it, the team's a snarkapalooza, knowing better than everyone else, taking nothing seriously, and safeguarding themselves from the real discomfort of trying to fix things. Even worse, often the most experienced people on your team are the most cynical, which means the junior members see it as a defining feature of successful folks whom they respect. In reality, it's cargo cult science: all the technically accomplished people are cynical, therefore if I'm cynical, I will become technically accomplished.

Cynicism is corrosive. Having no hope, day after day, leads to a poor environment for mental health. Cynicism saps purpose and agency, two of the most important factors for job (and life) satisfaction. Cynicism makes us feel powerful in the short run but robs us of power in the long run.

Cynicism is self-perpetuating. By assuming the worst in other people, we don't commit to finding the levers to change the causal factors leading to the situation, thus perpetuating the conditions that lead to cynicism in the first place. Problems don't get fixed, things don't get better, and cynicism flourishes, because hey, things never get better! Fear leads to cynicism, cynicism leads to inaction, inaction leads to nihilism. I think Yoda said that.

What can we do? Are we supposed to be simpletons, believing the best of everyone and taking everything presented to us at face value? (If you just thought "nice strawman," stop it. You're being cynical!). I suggest skepticism is an appropriate replacement for cynicism.

Most dictionaries will tell you skepticism and cynicism are synonyms. If you dig a bit deeper, though, you'll find skeptic comes from the Greek root skepsis, meaning inquiry or doubt, whereas cynic comes from the Greek kynikós, meaning doglike. They couldn't be more different. Skepticism means approaching the world with a critical mindset, applying scientific thought, and using data and logic to refute, modify, or bolster the proposed idea.

Cynicism does none of that. Cynicism is the knee-jerk reaction that the idea is bad because, let's face it, it's always bad. Or the person promoting the idea is a weasel, and what are they up to, anyway? Cynicism is as mindless as the relentless optimism it mocks. The only difference is the optimists are at least happy.

Sometimes what seems like cynicism is an analysis based on years of hard-won experience. Even in this case, I recommend taking a second look and if you're applying your experience in a rational manner, or if you're letting your feelings get the best of you. There's a fine line between a justifiable gut reaction and an involuntary fear reflex.

I'm not saying you must necessarily give up all cynicism. But when it becomes your default way of thinking, you're no longer in a learning mindset. Here are four strategies I've been using to combat my own cynicism.

  1. I think before I communicate a cynical thought. Does it add to conversation, or does it just make me feel better? Will it create the change I want to create?
  2. I give ideas a few minutes before I disagree. Better—give them a day. Get past that first knee-jerk reaction. Everyone has something to teach me. Consider alternative viewpoints.
  3. I think in terms of creation, not problem solving. It's easy to get bogged down solving problems day after day. And the problem with problems is there's always another one waiting when you finish the one on your plate. We solve problems in service of bringing a larger vision into creation. Don't lose sight of that vision.
  4. I look for the good in things. Build off it. Apply the improv rule "Yes, and." People react better to positive emotions than negative ones, and I'm more likely to get the change I'm looking for by being kind and empathetic.

I'm doing all these things. And it's hard. I can't tell you how many times I've typed a snide comment thinking, "Ooh, this one is clever and biting and hilarious," only to stop, ask if it was making the world a better place, conclude not, and sadly delete it. Moments later, I've forgotten about it and maybe have said something constructive instead. If I can do it, so can you. And if you just thought "what a cliched ending," stop it! You're being cynical!

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Christopher Degni leads the Architect Studio within Akamai's InfoSec department, where he develops security researchers into architects. When he's not caught up in management, he likes to think about the systemic forces that shape security and the levers we can use to affect ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
Lessons from My Strange Journey into InfoSec
Lysa Myers, Security Researcher, ESET,  7/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Cyberspace is much less secure than my old lamp.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6681
PUBLISHED: 2018-07-17
Abuse of Functionality vulnerability in the web interface in McAfee Network Security Management (NSM) 9.1.7.11 and earlier allows authenticated users to allow arbitrary HTML code to be reflected in the response web page via appliance web interface.
CVE-2018-13864
PUBLISHED: 2018-07-17
A directory traversal vulnerability has been found in the Assets controller in Play Framework 2.6.12 through 2.6.15 (fixed in 2.6.16) when running on Windows. It allows a remote attacker to download arbitrary files from the target server via specially crafted HTTP requests.
CVE-2018-14338
PUBLISHED: 2018-07-17
samples/geotag.cpp in the example code of Exiv2 0.26 misuses the realpath function on POSIX platforms (other than Apple platforms) where glibc is not used, possibly leading to a buffer overflow.
CVE-2018-14337
PUBLISHED: 2018-07-17
The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in mruby 1.4.1 contains a signed integer overflow, possibly leading to out-of-bounds memory access because the mrb_str_resize function in string.c does not check for a negative length.
CVE-2018-14329
PUBLISHED: 2018-07-17
In HTSlib 1.8, a race condition in cram/cram_io.c might allow local users to overwrite arbitrary files via a symlink attack.