7 cybersecurity mindsets that undermine practitioners and how to avoid them

It’s no secret that cybersecurity jobs are burning people out. It’s a high-pressure environment that ever seems to be ratcheting up the daily demand on security professionals. There are many reasons for this, but underlying them all is the way we think about security. By consciously recognizing these mindsets we can change them and better position everyone for success.

Why mindset matters

Cybersecurity is a highly technical field. In one way, it’s a hard science. But in another, it’s a very human battle, driven by psychology and morale. Underlying the effectiveness of security professionals is their mental state. This is affected by several assumptions that the industry at large holds about security and its role in business.

Here are seven cybersecurity mindsets that need to be transformed into more empowering and supportive beliefs in order for a healthier security environment to flourish:

1. Security is a destination

Probably the most insidious subliminal belief about cybersecurity is that it’s a place where we can arrive, where it is completed and can be set aside. This is not consciously held — consciously, we know securing the digital business is an ongoing effort. But subtly, we subconsciously imagine we’ll finish off the security part of things, at least for a while, and be able to relax.

This just sets everyone up for unnecessary stress. When we’re holding the idea that the effort of security has a finite end, we create a subtle sense of disappointment or failure when it turns out there’s always more to do. Somehow, it’s our fault that we never arrive, but really, that’s just the nature of the beast.

By accepting that security is a journey, an ongoing process, we can align with reality and remove the extra layer of stress, which is that we never seem to get to that place of resolution and rest when we arrive at cybersecurity completeness. The answer is not to shoulder the stress without any hope of resolution. Instead, to see it as an adventure through varied terrain. Sometimes uphill, sometimes down. Sometimes strenuous, sometimes easy. There are many resting places along the way, and then we take up the journey again.

2. Security is owned by the pros

Often, we think that security professionals are the owners of security, but that’s not accurate and it drives two unfortunate results. Firstly, it seems to release everyone else from responsibility. Secondly, it subtly isolates security people, as though they are fighting alone.

Software developers should always be thinking about security, at every stage of the lifecycle, rather than ignoring it until delivery time. So should everyone else. It’s only by keeping it in mind that personnel are ready to spot phishing and other attacks.

Of course, security professionals are the leaders and guides but ultimately, security is everyone’s responsibility, and every employee should feel empowered to contribute to the overall posture of the organization. By seeing security as owned by everyone, as a collaborative effort, we make a stronger community.

3. Security is only getting harder

Nothing is more discouraging than an endless task that only gets harder. Sometimes, securing the enterprise seems like Sisyphus pushing the boulder up the hill, except each day the boulder is a little bit bigger. Criminals get more sophisticated and use better tooling and organization, and the digital infrastructure that must be protected becomes more sprawling, complex, and interconnected.

In truth, the battle between the white hats and the black hats is tidal, coming and going. Sometimes the good guys are on the front foot, sometimes they’re on the back foot. The whole idea of ransomware is a good example: for a while, the criminals seemed to have the initiative. But the industry has evolved in response and has pushed back with measurable results. Of course, the back and forth continues, but in general, we are in a much more stable position.

By accepting the cyclical nature of the thing, we can adopt an attitude that can gear up when the threat increases and find the right level of resting alertness when it declines. We are always vigilant, but not always at a Defcon-1, red-alert level. Keeping mental balance is absolutely key to long-term success.

4. Security is a product

Security is often seen as a standalone function or additional product that is bolted onto the real infrastructure or as a discrete thing to be finalized and delivered. This is a long-standing view in software development, something similar to the way we once thought about quality: as a distinct, separate component of things.

“Quality is not an act, it’s a habit,” according to an elegant paraphrase of Aristotle. Just like quality, security is not a finished product but rather an ongoing discipline. When we see security as a practice, to be continually refined and honed, it frees up the energy to engage it as such. We grow healthier by exercising regularly and monitoring our diet daily; such is security. If we want to get good at guitar or a martial art, we must keep coming back to it and refining it, but there is always more to develop — just as in security.

Instead of bemoaning this fact, we can lean into it and use it to fuel our efforts. It’s actually a blessing to work in a field that always has room for growth and can fully engage our capabilities. This perspective should be shared with the entire business so that everyone can adopt the mindset that we are all practicing security. The pros are the masters, but we are all in the undertaking together, always learning.

Security shouldn’t ever be delivered as a product — what it should be is a habit. Products and tools are just corollaries and aids. What we are really building with security is culture, attitude, and awareness. In short, security is what we practice every day, individually, and organizationally.

5. Security is driven by crime

It sometimes feels like we are just playing whack-a-mole with criminals, as if they are in control of the game. We are constantly putting out fires or looking for new ways that bad actors will find to compromise our systems. When we think about security as just the work of responding to the activity of criminals, we set ourselves up for disempowerment and frustration.

The truth is that business is in the driver’s seat. The values and creativity of enterprise make a tempting target that drives the unethical to try to tap into it. We’re not trying to underestimate cybercriminals here, the truth is, they can be very clever in their attacks, and we have to take them seriously.

But the value is only there because of the legitimate business — crime is parasitical. Clearly, security is driven by business; without the business, cybercrime would have nothing to feed upon. Security pros are the guardians of legitimate enterprise, and the criminals are on the outside trying to pilfer whatever they can. We can drive home this point by taking proactive steps such as running penetration scans.

6. Security is 100% achievable

Measurable factors are critical to good security. Metrics like mean time to detect (MTTD) allow us to monitor the situation and gauge the effectiveness of programs. The problem is when we start to think the indicators should always move in the positive direction, or worse, stay in the near-perfect zone.

Metrics are bellwethers that guide us, rather than goals that can be completed. The key is to take steps that move things in the right direction and use the information to take action when they indicate a problem. Security, then, requires the honest acceptance of measurements. When keeping an eye on KPI, we should see it as monitoring the dashboard, watching the health of the organism’s immune system. Making the unrealistic demand of always moving towards perfection and staying there is actually an invitation for skewed metrics. Honest appraisal is key.

7. Security is thankless

The old idea is that security is only noticed when it fails. Even worse, security is sometimes perceived as a necessary evil, an impediment to innovating or getting the job done. If only everyone could just forget about security, we could move so much faster just as we could focus on building software if we forgot about quality and customer satisfaction. It sounds absurd, just like it’s absurd to lament the need to think about security at every stage of development.

The tendency is to raise a ruckus when something goes awry and a major breach is discovered. How could this happen? Who screwed up? Heads must roll. But all the time when things are going well, we ignore the people enabling it or — worse — act like they’re in the way.

The tendency to only notice security when it fails just needs to change. But security should always be appreciated; we should see it as work done to let everyone do their jobs under the best conditions possible.