Turn on the news, open twitter, read your morning newsletters and you are going to be inundated with news about the election in the US. Regardless of where you fall politically, we find ourselves in a charged environment with palpable tension. That makes headlines like “Facebook takes down Russian operation that recruited U.S. journalists, amid rising concerns about election misinformation” even more disconcerting. From elections to Twitter to Experian, we all know that we’re “supposed” to be on top of cybersecurity, and that bad things happen when we don’t.
And yet, despite its importance, most people really aren’t talking about cybersecurity. Why is that? Why is Cybersecurity not a conversation as common in households as the birds and the bees and the golden rule? I propose three main reasons: We don’t understand cyber security, we can’t see it, and it’s terrifying.
Why we don’t talk about cyber security
We don’t understand fully
IAM, CSPM, PAM, CASB? All of these terms can sound like gibberish to someone who hasn’t spent the time learning the language. Even if you know what the acronyms stand for, what the hell is posture management or a security broker? For most users, it seems like you need to have an engineering degree to be able to grasp the topic.
We can’t see it
The very aim of cybersecurity is to go undetected. That is why the attacks are so pernicious. If we could see all of the attacks, then the effects wouldn’t be as devastating. Some ideas may have spread a bit more into general population knowledge, like phishing schemes, and Nigerian princes asking for bank account information so they can wire you money. But if cyber ideas are spreading into general knowledge right now, I assure you they are not the most cunning attacks with the highest success rate.
Companies that manage where we bank, talk with friends, and check our credit scores suffered data breaches. Is our information compromised? If it is, why hasn’t anything bad happened? Is it just a matter of time? The combination of not understanding something and not being able to see it results in a scary scenario. We feel helpless.
So what is the result of the above three issues? Not fully understand something + not being able to see it + it is scary = we bury our heads in the sand. We pretend it doesn’t exist. Not completely. But we sure don’t give cybersecurity the airtime it deserves. I understand that it is daunting to talk about a topic with the above characteristics. It feels clunky. We feel ill equipped. But it’s important to try. To use a classic SV cliche, let’s just work on a minimum viable product. Here is a simple MVP.
How we can talk about cybersecurity
At home: we need to treat our family’s cybersecurity the same way we treat home maintenance, yearly physicals, etc – something we talk about. Whether it’s with kids in terms of online safety or about securing the home network, the more we talk about it, the more normalized it becomes.
In businesses: We need to bring as many types of people as possible into the cybersecurity businesses and roles, to ensure these businesses and products are as wide-ranging and as accessible as possible. From a range of disciplines (marketers, lawyers, designers) to a range of people (more women, more BIPOC operators, more people up and down the economic spectrum, more people outside of the major cities), the more that cybersecurity becomes a big tent, the more commonplace and wide-reaching these businesses and effects will become. In all of my experiences, the cybersecurity community is welcoming with open arms.
At a government level: Of course we need to ensure that our elections are secure (should I even have to say that?) – but we also need to ensure that our elected officials are well-versed in cybersecurity and are pushing forward legislation, policies, or conversations around cybersecurity in the same way that they do (or should) around healthcare, infrastructure and education. Or nuclear policy back in the day.
You may be thinking, “Kara, you are an investor, why aren’t you talking about your cyber cloud thesis?” It’s true that $100B is up for grabs in cyber in the next 6 years, and the above principles can influence investment areas to consider- spear-phishing emails, training employees as consumers of IT products in an ongoing way, full suites of software for small businesses and personal data.
But more than anything, I hope to encourage anyone who is curious and mildly afraid, to follow the curiosity and not worry about the fear. To dip your toe in as a consumer of news and speak about it more often. If you are an operator in the tech world, I encourage you to go a step further and do a rotation in your security team. Not just engineers who can more easily move into a security team, but consumer designers and product leaders who do not come from a security background. We have seen this play out at companies like Fleetsmith and Open Raven to great results. Not only do these companies’ websites and booths stand out differently at RSA, these companies designed different go to market motions that were built to the consumer inherent in each engineer versus just the O in the CISO.
And if you are a woman or an investor with the flexibility to expand your practice, do it! Commit to learning. Realize you have value that does not come from knowing every vulnerability management vendor of the last three decades, but may come from understanding how new go to markets or cultural shifts within organizations may play out. Cybersecurity is a forever industry that thrives on different and collaborative thinkers and values new curious thinkers more than many.
Security may be a bit scary. That’s ok. It is also one of the most fascinating areas of our time that moves our GDP and can move your brain in fun ways if you allow that possibility to happen!