Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

6/27/2018
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Cynicism in Cybersecurity: Confessions of a Recovering Cynic

Anyone constantly dealing with complex computer systems teetering on the brink of disaster will likely succumb to the cult of cynicism. These four strategies will help you focus on the positive.

Cynics fall into the same category as Marines (if you're feeling charitable) and cheaters (if you're not) in that there's no such thing as an ex-cynic. But I'm doing my best: I'm a recovering cynic.

When I refer to cynicism, I'm not talking about the ancient Greeks. I'm using the modern definition, which I take as immediately assuming the worst of people or situations. Almost anyone who's been in computer security for any time succumbs to the cult of cynicism. We deal with complex systems teetering on the brink of disaster. We operate in an unceasingly chaotic environment. And often, it seems like organizations fail to implement even the simplest mitigations. It's easy to become jaded.

It's also easy to declare "Everything is trash." But everything's not trash. Things work, most of the time. That's not to say we couldn't do better, or it doesn't take effort to keep things working, or a random bit flip couldn't cascade into a disaster. (Curse you, cosmic rays!) My real point, though, is even if things were all trash, being cynical is not productive.

Cynicism is incapacitating. It allows you to absolve yourself of the problem. After all, why bother to help someone if they're just going to get themselves right back into trouble by being terrible? Why fix a system if it's irredeemable? How committed can you be to solving a problem if deep down inside you think the situation is hopeless?

Cynicism is contagious. One person on your team has it, then another, and before you know it, the team's a snarkapalooza, knowing better than everyone else, taking nothing seriously, and safeguarding themselves from the real discomfort of trying to fix things. Even worse, often the most experienced people on your team are the most cynical, which means the junior members see it as a defining feature of successful folks whom they respect. In reality, it's cargo cult science: all the technically accomplished people are cynical, therefore if I'm cynical, I will become technically accomplished.

Cynicism is corrosive. Having no hope, day after day, leads to a poor environment for mental health. Cynicism saps purpose and agency, two of the most important factors for job (and life) satisfaction. Cynicism makes us feel powerful in the short run but robs us of power in the long run.

Cynicism is self-perpetuating. By assuming the worst in other people, we don't commit to finding the levers to change the causal factors leading to the situation, thus perpetuating the conditions that lead to cynicism in the first place. Problems don't get fixed, things don't get better, and cynicism flourishes, because hey, things never get better! Fear leads to cynicism, cynicism leads to inaction, inaction leads to nihilism. I think Yoda said that.

What can we do? Are we supposed to be simpletons, believing the best of everyone and taking everything presented to us at face value? (If you just thought "nice strawman," stop it. You're being cynical!). I suggest skepticism is an appropriate replacement for cynicism.

Most dictionaries will tell you skepticism and cynicism are synonyms. If you dig a bit deeper, though, you'll find skeptic comes from the Greek root skepsis, meaning inquiry or doubt, whereas cynic comes from the Greek kynikós, meaning doglike. They couldn't be more different. Skepticism means approaching the world with a critical mindset, applying scientific thought, and using data and logic to refute, modify, or bolster the proposed idea.

Cynicism does none of that. Cynicism is the knee-jerk reaction that the idea is bad because, let's face it, it's always bad. Or the person promoting the idea is a weasel, and what are they up to, anyway? Cynicism is as mindless as the relentless optimism it mocks. The only difference is the optimists are at least happy.

Sometimes what seems like cynicism is an analysis based on years of hard-won experience. Even in this case, I recommend taking a second look and if you're applying your experience in a rational manner, or if you're letting your feelings get the best of you. There's a fine line between a justifiable gut reaction and an involuntary fear reflex.

I'm not saying you must necessarily give up all cynicism. But when it becomes your default way of thinking, you're no longer in a learning mindset. Here are four strategies I've been using to combat my own cynicism.

  1. I think before I communicate a cynical thought. Does it add to conversation, or does it just make me feel better? Will it create the change I want to create?
  2. I give ideas a few minutes before I disagree. Better—give them a day. Get past that first knee-jerk reaction. Everyone has something to teach me. Consider alternative viewpoints.
  3. I think in terms of creation, not problem solving. It's easy to get bogged down solving problems day after day. And the problem with problems is there's always another one waiting when you finish the one on your plate. We solve problems in service of bringing a larger vision into creation. Don't lose sight of that vision.
  4. I look for the good in things. Build off it. Apply the improv rule "Yes, and." People react better to positive emotions than negative ones, and I'm more likely to get the change I'm looking for by being kind and empathetic.

I'm doing all these things. And it's hard. I can't tell you how many times I've typed a snide comment thinking, "Ooh, this one is clever and biting and hilarious," only to stop, ask if it was making the world a better place, conclude not, and sadly delete it. Moments later, I've forgotten about it and maybe have said something constructive instead. If I can do it, so can you. And if you just thought "what a cliched ending," stop it! You're being cynical!

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Christopher Degni leads the Architect Studio within Akamai's InfoSec department, where he develops security researchers into architects. When he's not caught up in management, he likes to think about the systemic forces that shape security and the levers we can use to affect ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11937
PUBLISHED: 2020-08-06
In whoopsie, parse_report() from whoopsie.c allows a local attacker to cause a denial of service via a crafted file. The DoS is caused by resource exhaustion due to a memory leak. Fixed in 0.2.52.5ubuntu0.5, 0.2.62ubuntu0.5 and 0.2.69ubuntu0.1.
CVE-2020-15114
PUBLISHED: 2020-08-06
In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesting i...
CVE-2020-15136
PUBLISHED: 2020-08-06
In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints func...
CVE-2020-15701
PUBLISHED: 2020-08-06
An unhandled exception in check_ignored() in apport/report.py can be exploited by a local attacker to cause a denial of service. If the mtime attribute is a string value in apport-ignore.xml, it will trigger an unhandled exception, resulting in a crash. Fixed in 2.20.1-0ubuntu2.24, 2.20.9-0ubuntu7.1...
CVE-2020-15702
PUBLISHED: 2020-08-06
TOCTOU Race Condition vulnerability in apport allows a local attacker to escalate privileges and execute arbitrary code. An attacker may exit the crashed process and exploit PID recycling to spawn a root process with the same PID as the crashed process, which can then be used to escalate privileges....