Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

6/27/2018
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Cynicism in Cybersecurity: Confessions of a Recovering Cynic

Anyone constantly dealing with complex computer systems teetering on the brink of disaster will likely succumb to the cult of cynicism. These four strategies will help you focus on the positive.

Cynics fall into the same category as Marines (if you're feeling charitable) and cheaters (if you're not) in that there's no such thing as an ex-cynic. But I'm doing my best: I'm a recovering cynic.

When I refer to cynicism, I'm not talking about the ancient Greeks. I'm using the modern definition, which I take as immediately assuming the worst of people or situations. Almost anyone who's been in computer security for any time succumbs to the cult of cynicism. We deal with complex systems teetering on the brink of disaster. We operate in an unceasingly chaotic environment. And often, it seems like organizations fail to implement even the simplest mitigations. It's easy to become jaded.

It's also easy to declare "Everything is trash." But everything's not trash. Things work, most of the time. That's not to say we couldn't do better, or it doesn't take effort to keep things working, or a random bit flip couldn't cascade into a disaster. (Curse you, cosmic rays!) My real point, though, is even if things were all trash, being cynical is not productive.

Cynicism is incapacitating. It allows you to absolve yourself of the problem. After all, why bother to help someone if they're just going to get themselves right back into trouble by being terrible? Why fix a system if it's irredeemable? How committed can you be to solving a problem if deep down inside you think the situation is hopeless?

Cynicism is contagious. One person on your team has it, then another, and before you know it, the team's a snarkapalooza, knowing better than everyone else, taking nothing seriously, and safeguarding themselves from the real discomfort of trying to fix things. Even worse, often the most experienced people on your team are the most cynical, which means the junior members see it as a defining feature of successful folks whom they respect. In reality, it's cargo cult science: all the technically accomplished people are cynical, therefore if I'm cynical, I will become technically accomplished.

Cynicism is corrosive. Having no hope, day after day, leads to a poor environment for mental health. Cynicism saps purpose and agency, two of the most important factors for job (and life) satisfaction. Cynicism makes us feel powerful in the short run but robs us of power in the long run.

Cynicism is self-perpetuating. By assuming the worst in other people, we don't commit to finding the levers to change the causal factors leading to the situation, thus perpetuating the conditions that lead to cynicism in the first place. Problems don't get fixed, things don't get better, and cynicism flourishes, because hey, things never get better! Fear leads to cynicism, cynicism leads to inaction, inaction leads to nihilism. I think Yoda said that.

What can we do? Are we supposed to be simpletons, believing the best of everyone and taking everything presented to us at face value? (If you just thought "nice strawman," stop it. You're being cynical!). I suggest skepticism is an appropriate replacement for cynicism.

Most dictionaries will tell you skepticism and cynicism are synonyms. If you dig a bit deeper, though, you'll find skeptic comes from the Greek root skepsis, meaning inquiry or doubt, whereas cynic comes from the Greek kynikós, meaning doglike. They couldn't be more different. Skepticism means approaching the world with a critical mindset, applying scientific thought, and using data and logic to refute, modify, or bolster the proposed idea.

Cynicism does none of that. Cynicism is the knee-jerk reaction that the idea is bad because, let's face it, it's always bad. Or the person promoting the idea is a weasel, and what are they up to, anyway? Cynicism is as mindless as the relentless optimism it mocks. The only difference is the optimists are at least happy.

Sometimes what seems like cynicism is an analysis based on years of hard-won experience. Even in this case, I recommend taking a second look and if you're applying your experience in a rational manner, or if you're letting your feelings get the best of you. There's a fine line between a justifiable gut reaction and an involuntary fear reflex.

I'm not saying you must necessarily give up all cynicism. But when it becomes your default way of thinking, you're no longer in a learning mindset. Here are four strategies I've been using to combat my own cynicism.

  1. I think before I communicate a cynical thought. Does it add to conversation, or does it just make me feel better? Will it create the change I want to create?
  2. I give ideas a few minutes before I disagree. Better—give them a day. Get past that first knee-jerk reaction. Everyone has something to teach me. Consider alternative viewpoints.
  3. I think in terms of creation, not problem solving. It's easy to get bogged down solving problems day after day. And the problem with problems is there's always another one waiting when you finish the one on your plate. We solve problems in service of bringing a larger vision into creation. Don't lose sight of that vision.
  4. I look for the good in things. Build off it. Apply the improv rule "Yes, and." People react better to positive emotions than negative ones, and I'm more likely to get the change I'm looking for by being kind and empathetic.

I'm doing all these things. And it's hard. I can't tell you how many times I've typed a snide comment thinking, "Ooh, this one is clever and biting and hilarious," only to stop, ask if it was making the world a better place, conclude not, and sadly delete it. Moments later, I've forgotten about it and maybe have said something constructive instead. If I can do it, so can you. And if you just thought "what a cliched ending," stop it! You're being cynical!

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Christopher Degni leads the Architect Studio within Akamai's InfoSec department, where he develops security researchers into architects. When he's not caught up in management, he likes to think about the systemic forces that shape security and the levers we can use to affect ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15151
PUBLISHED: 2019-08-18
AdPlug 2.3.1 has a double free in the Cu6mPlayer class in u6m.h.
CVE-2019-15149
PUBLISHED: 2019-08-18
core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a child that is initiated by another child. The Ansible extension is unaffected.
CVE-2019-15145
PUBLISHED: 2019-08-18
DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack (application crash via an out-of-bounds read) by crafting a corrupted JB2 image file that is mishandled in JB2Dict::JB2Codec::get_direct_context in libdjvu/JB2Image.h because of a missing zero-bytes check in libdjvu/GBitmap.h.
CVE-2019-15146
PUBLISHED: 2019-08-18
GoPro GPMF-parser 1.2.2 has a heap-based buffer over-read (4 bytes) in GPMF_Next in GPMF_parser.c.
CVE-2019-15147
PUBLISHED: 2019-08-18
GoPro GPMF-parser 1.2.2 has an out-of-bounds read and SEGV in GPMF_Next in GPMF_parser.c.