After at least 14 years of interviewing and writing about cybersecurity, I'm surprised I'm not bored. I recall covering some towns, school districts and other jurisdictions that would drive some reporters so crazy with their mind-bendingly repetitive issues that they had to be reassigned after two or three years. Their editors sometimes used rotations to keep fresh eyes on difficult beats, and keep their reporters sane.
Surprisingly, this problem hasn't happened with cybersecurity, even though many of its topics, questions and answers are even more repetitious. In fact, a couple of sources for this year's edition, "The best defense," even stated they feel like broken records because they must endlessly tell end users to turn on/update passwords and antivirus software, inventory all network-enabled devices, ports and connections, and continuously monitor their network traffic for anomalous and possibly destructive behavior.
So why haven't I gone out of my head? I believe it's because, even though many questions and initial answers about cybersecurity are the same, there are surprising variations that emerge unexpectedly when covering it. It's hard to look away when a static statue or old-style process control simulation suddenly moves, and is counterintuitively revealed to be a street performer or a dynamic, close-to-real-time process simulation.
For instance, it's easy to understand the history of cybersecurity as another arms race with cyber-threats and protections evolving to outflank each other. However, the struggle gets more dramatic on the ground. Details of how initial protections were breached and what innovations were developed to reestablish those protections are stressful for the players, but they make excellent copy. Similar to pitchers' duels, murder mysteries, and professional or personal relationships, all their stories get more interesting up close.
In this issue's retelling, Ashok Patel, global network architect at Owens Corning, reported how his company approached cybersecurity by exploring it from the hackers' perspective. (He was one of the presenters at ARC Advisory Group's Industry Forum 2020, and you view it and others at www.arcweb.com/events/arc-industry-forum-orlando-2020.) Patel described how potential intruders usually invest huge amounts of time and labor to learn about the organizations, infrastructures and employees they target before they can probe, intrude, extract data or implant malware. I have zero sympathy for them, but I still appreciate the initiative and effort involved.
Similarly, many sources talk blithely about how operations technology (OT) and information technology (IT) cooperating to optimize their companies' operations, efficiency and productivity. However, this optimism about "IT/OT convergence" is severely tempered when sources describe what's needed to resolve software patching issues to provide cybersecurity for the equipment on actual plant floors. These are heroic struggles and epic tales, too, though plenty of repeating is needed to retool old, obsolete habits into new, effective ones.
No disrespect to my editors, but I think the best repetition strategy comes from a couple of high school teachers I was lucky to know. They taught French and calculus, and while I was vainly struggling with both, I asked if they got bored teaching the same material for 20-30 years in a row. They agreed their curricula didn't change much from year to year, but it was the reactions of their students and their problems on the way to comprehension that made their subjects endlessly fascinating for the teachers. Similar to a kaliedoscope, magic lantern, movies, great art, live sports, good marriages, and even TVs or other screens on their better days, the device or players stay the same, but the images keep changing.
This may also be where repetition become useful and comforting ritual. It can be used equally well to appreciate academic and technical topics, approach laundry or dishwashing like the mediation of a Japanese tea ceremony, practice behaviors we may need during the COVID-19 pandemic, or just avoid clicking on the next phishing email and its malware.
[sidebar id= 1]