Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

10:30 AM
Connect Directly
E-Mail vvv

Cynicism in Cybersecurity: Confessions of a Recovering Cynic

Anyone constantly dealing with complex computer systems teetering on the brink of disaster will likely succumb to the cult of cynicism. These four strategies will help you focus on the positive.

Cynics fall into the same category as Marines (if you're feeling charitable) and cheaters (if you're not) in that there's no such thing as an ex-cynic. But I'm doing my best: I'm a recovering cynic.

When I refer to cynicism, I'm not talking about the ancient Greeks. I'm using the modern definition, which I take as immediately assuming the worst of people or situations. Almost anyone who's been in computer security for any time succumbs to the cult of cynicism. We deal with complex systems teetering on the brink of disaster. We operate in an unceasingly chaotic environment. And often, it seems like organizations fail to implement even the simplest mitigations. It's easy to become jaded.

It's also easy to declare "Everything is trash." But everything's not trash. Things work, most of the time. That's not to say we couldn't do better, or it doesn't take effort to keep things working, or a random bit flip couldn't cascade into a disaster. (Curse you, cosmic rays!) My real point, though, is even if things were all trash, being cynical is not productive.

Cynicism is incapacitating. It allows you to absolve yourself of the problem. After all, why bother to help someone if they're just going to get themselves right back into trouble by being terrible? Why fix a system if it's irredeemable? How committed can you be to solving a problem if deep down inside you think the situation is hopeless?

Cynicism is contagious. One person on your team has it, then another, and before you know it, the team's a snarkapalooza, knowing better than everyone else, taking nothing seriously, and safeguarding themselves from the real discomfort of trying to fix things. Even worse, often the most experienced people on your team are the most cynical, which means the junior members see it as a defining feature of successful folks whom they respect. In reality, it's cargo cult science: all the technically accomplished people are cynical, therefore if I'm cynical, I will become technically accomplished.

Cynicism is corrosive. Having no hope, day after day, leads to a poor environment for mental health. Cynicism saps purpose and agency, two of the most important factors for job (and life) satisfaction. Cynicism makes us feel powerful in the short run but robs us of power in the long run.

Cynicism is self-perpetuating. By assuming the worst in other people, we don't commit to finding the levers to change the causal factors leading to the situation, thus perpetuating the conditions that lead to cynicism in the first place. Problems don't get fixed, things don't get better, and cynicism flourishes, because hey, things never get better! Fear leads to cynicism, cynicism leads to inaction, inaction leads to nihilism. I think Yoda said that.

What can we do? Are we supposed to be simpletons, believing the best of everyone and taking everything presented to us at face value? (If you just thought "nice strawman," stop it. You're being cynical!). I suggest skepticism is an appropriate replacement for cynicism.

Most dictionaries will tell you skepticism and cynicism are synonyms. If you dig a bit deeper, though, you'll find skeptic comes from the Greek root skepsis, meaning inquiry or doubt, whereas cynic comes from the Greek kynikós, meaning doglike. They couldn't be more different. Skepticism means approaching the world with a critical mindset, applying scientific thought, and using data and logic to refute, modify, or bolster the proposed idea.

Cynicism does none of that. Cynicism is the knee-jerk reaction that the idea is bad because, let's face it, it's always bad. Or the person promoting the idea is a weasel, and what are they up to, anyway? Cynicism is as mindless as the relentless optimism it mocks. The only difference is the optimists are at least happy.

Sometimes what seems like cynicism is an analysis based on years of hard-won experience. Even in this case, I recommend taking a second look and if you're applying your experience in a rational manner, or if you're letting your feelings get the best of you. There's a fine line between a justifiable gut reaction and an involuntary fear reflex.

I'm not saying you must necessarily give up all cynicism. But when it becomes your default way of thinking, you're no longer in a learning mindset. Here are four strategies I've been using to combat my own cynicism.

  1. I think before I communicate a cynical thought. Does it add to conversation, or does it just make me feel better? Will it create the change I want to create?
  2. I give ideas a few minutes before I disagree. Better—give them a day. Get past that first knee-jerk reaction. Everyone has something to teach me. Consider alternative viewpoints.
  3. I think in terms of creation, not problem solving. It's easy to get bogged down solving problems day after day. And the problem with problems is there's always another one waiting when you finish the one on your plate. We solve problems in service of bringing a larger vision into creation. Don't lose sight of that vision.
  4. I look for the good in things. Build off it. Apply the improv rule "Yes, and." People react better to positive emotions than negative ones, and I'm more likely to get the change I'm looking for by being kind and empathetic.

I'm doing all these things. And it's hard. I can't tell you how many times I've typed a snide comment thinking, "Ooh, this one is clever and biting and hilarious," only to stop, ask if it was making the world a better place, conclude not, and sadly delete it. Moments later, I've forgotten about it and maybe have said something constructive instead. If I can do it, so can you. And if you just thought "what a cliched ending," stop it! You're being cynical!

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Christopher Degni leads the Architect Studio within Akamai's InfoSec department, where he develops security researchers into architects. When he's not caught up in management, he likes to think about the systemic forces that shape security and the levers we can use to affect ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Deliver a Deadly Counterpunch to Ransomware Attacks: 4 Steps
Mathew Newfield, Chief Information Security Officer at Unisys,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.