Rachel and I had tickets last month to see the Goo Goo Dolls at Leader Bank Pavilion in the Boston Seaport. With the kids away at camp and the weather perfect, we were looking forward to it – maybe most of all because the opening band was Dashboard Confessional.
If you just said, “Who is Dashboard Confessional?” I guess I can’t blame you. Their peak popularity was in the early 2000s, so it’s been a while.
But for us, that band will always hold a special memory – their song Stolen is the one we danced to at our wedding 16 years ago.
Rach works downtown, so the plan was for me to uber to her office and walk over together. At 5 PM, I ordered the Uber and went outside to look for my driver, Muhammad, in a black Chevy Impala.
He pulled up right on time. “Muhammad?” I asked.
“Yes.” He looked at me puzzled. “But you are not Katie.”
“This is a black Chevy Impala and you are Muhammad, right?”
“No, this a dark gray Chevy Impala.”
Oops. My Muhammad arrived 60 seconds later. The first Impala smelled a lot better than mine, but I got in anyway and off we went to Boston.
Amazing coincidence? Definitely.
Because even though Chevy Impalas are widespread among Boston Uber drivers and (according to Google) Muhammad is the most popular man’s name on the planet, you’d think that when someone with the right name, in the right car, pulls up at the right place at the right time, that I could be certain my ride was here.
And yet, in this case, I was mistaken.
Certainty In Cybersecurity Is Not Possible
I get asked questions like these by clients all the time:
Rob, can you guarantee that if we do x then y won’t happen?
Rob, will this software eliminate all future malware?
Rob, what was the root cause of…?
Unfortunately, as in life in general, cybersecurity is yet another area in which uncertainty can be reduced … but not eliminated entirely.
Like wearing a seatbelt while driving or installing a fire suppression system in your house, the best cybersecurity can (and does) reduce the probability of an event occurring. But it’s still not zero.
Further, when a cybersecurity event does occur and you are trying to track it down, there will always be potential false paths. Often, you will get some indication that something bad happened, but still not know for sure:
Sometimes, the information is imprecise.
For example, whether out of embarrassment or lack of understanding, someone may say, “I was hacked,” when what actually happened is, “I bought gift cards and emailed them to a fake CEO.” Without knowing the full story, you can run off trying to fix the wrong problem.
Sometimes, the data sends you in the wrong direction.
A log file indicates there may have been a malicious login. But it turns out that at the same time of the event, Sally, who had just changed her password the day before, tried nine times before successfully logging in validly.
Sometimes, the facts are incomplete.
The system keeps log files for 90 days but the event occurred 91 days ago. That one piece of missing information is keeping you from solving the puzzle.
These are just a few examples of how every once in a while and despite your best efforts, “the wrong Muhammad” shows up.
Things to Keep in Mind
We live in an uncertain world and the information needed isn’t always there. But there are things you can do to reduce uncertainty and risk:
Expect the unexpected.
Don’t purchase systems thinking, “this will eliminate risk.” It’s not going to happen. The unlikely scenario is always possible, so it’s in your best interest not to dismiss it.
Understand the tradeoffs.
At its core, cybersecurity is really about risk reduction and business tradeoffs. You can’t prevent – or even anticipate – everything. So invest your efforts on higher probability events that will have more business impact and/or lower costs to mitigate.
Be open to alternative hypotheses.
How many times have you watched a movie where the cops were sure they had the murderer – but it turns out he coincidentally had the same size shoes as the real killer and inadvertently picked up the gun?
When investigating incidents, you also need to hold open the possibility that you are on the wrong path. Are there alternative hypotheses that would also support whatever evidence you have found? (Read more about the “Analysis of Competing Hypotheses” framework here.)
Probability, Not Certainty
If you are looking for cybersecurity certainty, I can’t help you. Nobody can. The best anyone can do is significantly reduce risk by taking sensible precautions and intelligently managing tradeoffs.
And even then, the wrong Muhammad may still show up at your door.
Gotta run. Rach just pulled up and we are headed out to dinner. At least I think that’s her.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
