Security FOMO Par Deux
FOMO: Fear of Missing Out
People trained in the art of cybersecurity management spend a fair amount of time scanning the landscape, looking for things they don’t know much about, learning about new stuff (cough, AI, cough), and generally paying attention to the unknown. The Cynefin Framework would call this type of work “chaos” or “complex” domains — where we spend out time probing, sensing, and acting in areas where there is little to no structure.
It’s not surprising, really. In order to do cyber risk management really well, you need to think about your threats, which are constantly changing. You must consider your vulnerabilities, which are also constantly changing. You must think about these things in the context of your business and its priorities, which are, you guessed it, always constantly changing. If you’re not scanning your environment looking for new, unknown things, you will miss the contextual changes that will make some things more relevant than others.
Security leaders worry they will miss out. Not just on missing out on seeing colleagues at a great conference, they worry they will miss the emerging new threats that will inevitably be The Threat that takes out their organization. They are pretty sure that the IT/engineering teams are doing something unnecessarily risky, right now, and the security team is missing the signs. They are convinced that there are business strategy meetings happening somewhere the security leader is not, and choices are being made without fully considering the security/downside impact of those decisions.
The challenge, that adds to stress and burnout, is that it’s never-ending. There will ALWAYS be more and new threats, new vulnerabilities in your people, process and tools. There will always be changes in organizational structure which will change your risk tolerances.
I wrote about this in January, and now I find myself revisiting the topic. Why? Well, back then (only four months ago, but time moves fast in this industry!) I gave all sorts of suggestions as to how a security leader can structurally manage this issue — having a strategy, talking to the board and leadership, lining up resources, etc. etc. I focused on boundary setting with partners and staff. But I’d forgotten the most…