The Human Qualities of Cyber Resilience
When we think about security, we often think of it as a very technical domain, which it is. But one of the things that differentiates a good security program from a great security program is the ability to overlay the human side of security, the human side of trust, to build an even stronger, more resilient enterprise. What is one of the most human qualities we can apply to build resilience? Overcoming adversity. And I know this from personal experience.
From surfing to system failure
March 12, 2007, I woke up in a beachside hotel to another beautiful day in Waikiki, Hawaii. After a fun weekend with my girlfriend and parents and celebrating a cousin’s wedding on the island, it was a lazy Monday to start vacation mode. We crafted the perfect day: surf lessons in the morning, Mexican food and margaritas for lunch, massage in the afternoon, luau at night. Similarly, in the office, we would have our perfect workday plans: get a cup of coffee, login, clear some emails and Slack messages, scan our meetings for the day, and have output goals.
In Hawaii, we walked to the beach with the sun perfectly kissing our skin, the ocean glistening, the waves humming. We settled into our surf lesson. I paddled out, caught my first wave and thought to myself how cool I must have looked and that I was definitely impressing my girlfriend, and, likewise, she was impressing me with her surfing skills. After surfing for about an hour and a half, we headed to shore. I noticed my back was sore, which made sense to me since I had never surfed before. Perhaps like a bumpy day at work, your coffee only half-consumed and growing cold, you’re having some login issues, emails are starting to add up, you’re running a little late, fires are starting to pop up.
As the afternoon passed, my pain and discomfort accelerated, to the point where I was rushed by ambulance to the hospital for an MRI. From the time I started the surfing lesson to the time I could no longer move my toes, seven hours had elapsed. I was paralyzed. I suffered a rare spinal cord injury called Surfer’s Myelopathy, where there was no incident or accident, but a spinal stroke induced by the repetitive and prolonged form of my back arched on the surfboard while looking for waves. I have spent fifteen years, since, confined to a wheelchair. In the workplace, sometimes overwhelming chaos erupts. Failures, breaches, viruses happen — things we can not completely control.
Challenging a mindset
Both personally and across the security field, it’s inevitable that we will encounter tough situations, things that we can’t control, bumps in the road. It’s how we account for these inevitabilities and how we bounce back that can be the difference between falling apart or finding our ground again. I often reflect on my personal experience with a potentially devastating situation — and the revelations I had as a result — when it comes to cyber resilience. It requires challenging our mindset a bit, but I believe there are three areas that can help even the best security teams work through the chaos, make empowered decisions, and gain control.
Foundation: The fundamentals and principles that shape who we are
Growing up, my dad was a salesperson. He used to sell vacuums and now sells cemetery plots, and constantly encounters rejection. When he would drive me to school in our 1990 Toyota Tercel, he would always listen to motivational speakers, like Zig Ziglar, Tony Robbins, and others that just pumped him up. As I was navigating my new normal from paralysis, I realized that those childhood influences had given me a foundation of optimism, positivity, and being solution-oriented. When my mind veered to “this is too hard” or “why me,” I was able to pivot to find solutions and silver linings.
From a security perspective, there’s nothing as important as building a strong foundation and core. At Salesforce, we call it nailing the basics. Know your security risks and vulnerabilities, set up frameworks to address these, plan, test and exercise, to make sure you’re as prepared as you can be. This can go a long way toward minimizing the risk of common cyber threats. What cracks do you have in your foundation and how can you work to strengthen them?
Adaptation: The ability to pivot our challenges to opportunities
I’ve had to adapt to every component of my life. For example, when I was first injured, I worried that I would no longer have independence, that I would need to rely on people to drive me around in those big, bulky wheelchair vans. We found a solution and adapted my sporty sedan with hand controls that allowed me to continue driving, not to mention having a huge boost on my psyche. I had a new appreciation for sitting alone in traffic in Los Angeles!
From a security standpoint, adaptation is key. Say you’ve tried identifying a system issue and fixing the root cause, but the process continues to fail. What if, instead, you asked the question: what processes are working really well? What must go right for this process to function and mitigate risks along the way? How can you use this as a base to piggyback a solution that resonates? How can you take the things that aren’t working well, pivot and adapt, and play to your company’s strengths?
Tribe: Those in our energetic circles that experience life with us
Although it was hard on my ego, I accepted support from my family, friends, and colleagues and — even more difficult — have asked for help when needed, whether a shoulder to cry on, fundraising for expensive physical therapy that wasn’t covered by insurance, and spiritual support, like prayers, existential conversations, gratitude exploration.
When it comes to security, it’s imperative to work and think cross-functionally to build resilience into every part of the business — from legal to marketing, IT to operations, and more. The more we work together, the more we can lean on and learn from each other in the moment and in the aftermath of a security event. Silos are an enemy of cyber resilience. So ask: Who is your tribe and are you asking them for help when you need it?
Foundation, adaptation, tribe. Facing a world where risk is more pervasive than ever before, if we accept the challenges and adversity with open arms and work together, we’re choosing resilience.