Flipping the cybersecurity narrative
Once I had a job taking the stones out of cherries for a big fruit punch. The chef said, "You're thinking about it wrong. You're trying to take the fruit off the stone." He was right. I was picking at the flesh. As soon as I flipped the mental model, and started taking the stones out of the cherries it went ten times faster!
In cybersecurity we talk a lot about "adding security". As if security was a tangible asset. That's ass-backwards. We're stuck in an old groove, using old language. We need to start talking about reducing insecurity.
I recently listened to a guest lecture for Ross Anderson and Sam Ainsworth's Security Engineering course, where ex-CTO of our National Cybersecurity Centre Ian Levy made a singular, deep remark. It is an idea I've held dear for decades and was, to be honest, very surprised to hear that come from the lips of an associate of GCHQ. It is that;
At this point my ears perked up and I instantly warmed to the speaker. As Levy enthusiastically and patiently worked a suspicious and silent audience, he spoke on mainly technical topics with a confident air of total disbelief.
