Please Stop Over-Simplifying Cyber Security for Executives

I was recently the fancy breakfast speaker for a group of influential decision-makers in Washington. I’d been invited as someone who can make “complex cyber security issues understandable for non-technologists.” I think they expected me to say the usual dumb things like “firewalls are like doors” or “good passwords fix 99% of security issues.” While sipping my coffee before speaking, I began to feel nauseous.

And so, in a rare moment of Jerry Maguire inspiration, I decided that it was time for me to start doing my damn job. So I began by saying this: “It’s obvious that binding integrated, adaptive authentication to dynamic, run-time protections in virtualized, micro-segmented workloads will best protect our infrastructure. Let’s discuss.” Everyone started shifting around nervously, and my nausea began to subside.

Here is the bottom line: I believe that cyber security experts must immediately stop over-simplifying cyber security issues for executives with weak technical backgrounds. Our corporate and government leaders are being sadly misled by the incorrect myth that complex cyber security challenges can be solved through basic common sense. This message is dangerous for our nation, and it must stop now.

Consider this: I was recently elected to the board of directors of a large bank. And while my personal background is certainly not in finance, the executive team has never once disrespected my intelligence by trying to reduce the complexities of banking and finance to baby talk. Instead, they know that I will step up to my responsibility of privately and diligently rectifying any knowledge gaps.

And how, you might ask, does one go about rectifying knowledge gaps? Well, I think it’s best done the old-fashioned way: Through hard work. Right now, an 800-page history of the Federal Reserve stares up from my desk. I read twenty pages every day. In contrast, how many members of Congress would you guess have a copy of Knuth’s Volume 1 on their desk? We all know the answer is a big fat zero.

Here is the core issue: We have given a free pass to otherwise-capable executives who have been unwilling to educate themselves on cyber security. They comfort themselves with inaccurate aphorisms like “cyber security is just common sense,” or “go find out who attacked us and attack them back.” These statements are about as reasonable as suggesting that we cut our national debt by printing more twenties.

So now, here is what you must do: Go to your laptop right now and take the time to dramatically improve one of your executive security briefings. Make it much more technical. Make it more accurate. Put in more truth. Take out all those ridiculous analogies put in by your public relations team. And it wouldn’t hurt to pull out all the stock PowerPoint clip art. (#NoMoreLockPictures.)

Once you’ve done this, share your results. Tell us about your personal experience. Post responses right here for all of us to read on how much pushback you received from briefing managers. Tell us how you insisted that executives are not dumb and should not be treated as such. Post it here for all of us to read. Let us learn from your work and delight in the knowledge that we are taking back the integrity of our profession.

Oh, and by the way, don’t worry one bit about any career risk that might arise from sharing your experiences on my thread. Absolutely nothing will happen to you, because I can assure you that your boss doesn’t read my posts. They are too technical.

Now go do your job.