top of page
Search

Don't be a Fatalist

Updated: Apr 22

I encounter fatalism in a variety of flavors.


A fatalist is someone that believes that events are inevitable, so the choices they make and the actions they take make no difference on the outcome. At the extreme end of the fatalism scale are the people who think "if it's your time to go, it's your time."


You may be thinking "I'm not a fatalist - I certainly don't believe that!" However, there are subtle ways in which we may find ourselves resigning to fatalism.


Fatalism in Gardening

I'm a gardener, and I have grown tired of hearing my fellow gardeners complain about animals eating their crops. Many of them have resigned to fatalism. Instead of devising strategies for keeping animals out, they simply complain about their losses.


"Are you smarter than a woodchuck?," I ask.

We should be able to keep the animals out, or at least reduce losses to a reasonable level.


I actually thought that my elevated garden was woodchuck proof but one day I was sitting outside and heard this loud munching sound. It was the woodchuck! He had climbed up into my raised beds and was eating my lettuce. I scared him off. In fact, I chased him back to his home and banged on the rocks on the outside to give him the message "do not step into this yard." I had to do that twice. I also put a metal fence around the top of my raised beds - about a foot high, it has prevented the woodchuck from gaining access. I haven't even seen him since.


What about squirrels? Well, I have made the squirrels my "associate gardeners."

Squirrels are like the mafia. You have to pay them off. I put birdseed out specifically for the squirrels and now they leave my garden alone. The only problem I have had is that they are constantly planting sunflowers everywhere...but that's not so bad. I actually enjoy seeing them. I view them as "associate gardeners."


Fatalism and Cybersecurity

In its worst form, I have seen organizations act as if it is fate that determines whether or not they will be hit by a major cyber-attack.


I'm not referring to the "it's not IF, it's WHEN" quote that we often hear. That is actually a call to action, not a call to resignation.


I have seen so many ransomware events at Hospitals - nearly 100 in my career - and yet it has been a struggle to get leaders at other Hospitals to focus adequate attention on cybersecurity. Yes, all of these organizations are struggling financially, but a cyber-attack is only going to exacerbate the problem. In some cases, it may even put the Hospital out of business - ransomware is an existential threat.

RANSOMWARE IS AN EXISTENTIAL THREAT

After one major cyber-attack where the Hospital was down for 6 weeks, the COO told me that they never want to go through that again. They are now prioritizing IT and Cybersecurity at the same level as clinical needs (such as buying an MRI).


But will it take a ransomware event to turn every executive into a believer?

It is fatalist to not take significant action to protect an organization now. In a sense, people are acting like a bunch of bunnies in a field. There is a hawk circling overhead, and everyone is just hoping they are not the one that gets attacked. Hope is not a strategy.



People Make Mistakes - Plan for It

Another area where I see fatalism is this idea that "people are the weakest link." It is as if they have resigned themselves to the inevitability of failure on the part of their people.


Systems should be put in place to account for the imperfection of people. We all make mistakes. I remember I was obsessed with trying to get an absolutely perfect 100% grade in Algebra. On every test I checked and double checked my work. But no matter how careful I was, I always got at least one problem wrong. I never could get that 100%.



Now think about your work day. You may be tired. You may be stressed. The coffee machine stopped working. And then you receive a phishing email that is very convincing! The email appears to come from a coworker, and they are even talking to you about a current project. Are you really going to detect the phish?


Build a Strong Cybersecurity Culture

It is vital that people feel free to come forward when they make a mistake. Quick action is invaluable, and if the person who fell for the phish comes forward as soon as they realize their mistake, the impact can be greatly lessened.


Don't berate people for making mistakes! They are only human. Reward people for making mistakes and coming forward. Tell their story. Praise them for their courageous action. It takes courage to admit you made a mistake.


Compensating Controls are Important

In addition to recognizing that people make mistakes, recognize that processes - both automated and manual - sometimes fail. A script may not execute properly due to a software update. A windows update fails because of an unexpected hardware issue that Microsoft didn't account for. A windows update causes virtual NICs to be reset (true story) bringing all of the servers off the network.


In such cases you need compensating controls. There needs to be a process to regularly review systems to ensure that all systems were patched, and all processes ran to completion. Expecting perfection from man made machines is not realistic.


Conclusion

So don't resign to fatalism even in the subtle ways we have discussed.


Instead, we all should:

  • Plan for imperfection.

  • Plan for people and processes to fail.

  • Continue to learn from mistakes and improve processes.


Contact me for a free consultation — Justin@ArmstrongRisk.com.







40 views1 comment

1 Comment


Very true Justin. It's also a Board level minefield: "Are we protected?"


A fatalist will will always respond "No", I hope a more pragmatic CISO will respond "Yes, from some threats, but not all and if you want to improve that, here's the strategy!"

Like
bottom of page