A closed black box on a wood slat floor.

Black Box Cybersecurity

December 11, 2023

Layoffs? In cybersecurity? Surely, you jest.

But no. This is really a thing, despite the increasing risks to businesses in 2023. Everyone knows that cyberthreats are on the rise. How could it be that executive leadership would make the choice to cut costs on the people who protect what matters most in a business?  

Because those executives have no idea what the cybersecurity team actually does. And whose fault is that? The cybersecurity team’s. 

Our industry, as a whole, is absolutely terrible at explaining what we do, how we do it, and why it matters. Mostly, for the entire history of cybersecurity, we’ve relied on Fear, Uncertainty, and Doubt (FUD) as a kind of lazy shorthand in order to get things to line up the way we needed them to, to continue to do our jobs. And that theme got picked up by cinema, to persistent and stereotypical effect. This is pretty much what people believe about us. We do mystical, impossible-to-understand things with technology in order to beat the bad guys. We practice arcane rituals that involve unspeakable languages (y’know, like C++) and overly-complicated obfuscation (like the RSA challenge), not unlike medieval wizards in their towers, to befuddle the commoners. 

But here’s the thing. Fear is a terrible motivator that only works in the short term. And if management is facing a directive to cut costs, psychologically, they’re going to be far, far more interested in cutting something they don’t understand, that makes them uncomfortable, than they are something that they can articulate the value of, clearly and easily. 

As an industry, we have created our own black box. 

It’s highly likely that your reports to management, although clear to you, are some flavor of opaque to your non-technical leadership. Establishing the kind of rapport that allows you to take the time to sit down and really explain, in simple, easy-to-follow language, what underpins the technical choices you make, takes time, patience, and consistency. It requires that you build a bridge of trust with every one of your stakeholders, so that they feel comfortable being vulnerable enough to say “I don’t know what you mean; explain it to me.” 

It requires you to be clear about being on the same side as business operations. 

So let’s look at this from a positive perspective. Taking the time to explain the thing nets you multiple benefits:

  • If you regularly explain what you’re doing, you set up an expectation of mutual trust which means that when things need to change or be done differently, all you need to do is explain that, not establish trust and then explain.
  • If you’ve taken the time to have your stakeholder understand the environment, your stakeholder is more likely to appreciate upgrades to that environment, and to appreciate the extra care and attention you’re bringing to the work.
  • If your stakeholder appreciates your work, they’re less likely to shop around to other services, and more likely to retain you, year over year. 

There’s no downside to accepting bridgebuilding as part of the overall cybersecurity engagement. Let’s put an end to the era of FUD, and start letting some sunshine into those black boxes.