Why IT managers should ask the right questions – a commentary by Roland Stritt, Vice President Central EMEA at SentinelOne
Every new year also means it’s time for the annual outlook for the coming year. But “predictions are difficult, especially when they concern the future.” In my opinion, this statement, which is attributed to either the American author Mark Twain or the German comedian Karl Valentin, can easily be applied to cyber security: in our industry, it is sometimes even difficult to predict what will happen in the next 30 seconds – let alone twelve months. My colleagues and I believe that it is more effective to avoid (more or less vague) predictions and instead ask (difficult and also uncomfortable) questions – in order to create new ways of thinking.
Many predictions in the IT industry only describe the “what” and “how”, only a few also deal with the “when, where, why and who”. But these are precisely the questions that really matter. Albert Einstein once said: “If I had an hour to solve a problem, I would spend 55 minutes thinking about the problem and five minutes thinking about the solution.” Because as soon as you know the right question, you can solve the problem in a short time.
This is another realisation that I believe applies to cyber security. Right now, those responsible in companies and authorities are facing major challenges in view of the ever faster evolving threat situation. This gives rise to four key questions that should be asked at all management levels:
1. do we have the necessary knowledge to properly assess risks?
“Some people would rather drown than call for help.” is one of the many well-known sayings of the German poet Wilhelm Busch. Unfortunately, it has been shown time and again that those responsible in organisations have (too) little experience in the area of cyber security, and many also overestimate the quality and effectiveness of their defence systems.
That’s why it’s important to remain humble about some things in life and to ask experts for help. Ideally, not just when the dreaded emergency has already occurred.
2. can our employees be bribed?
The Lapsus$ hacker group did just that: according to Microsoft, they “gained initial access in various ways, such as paying employees, suppliers or business partners of the target companies to access credentials and authorise multi-factor authentication”.
In other words, sometimes it’s even simpler than the French playwright Molière’s saying “Where one door closes, another opens”. Because if you are simply let in through the door, you don’t even have to break in.
Continuous employee training on IT security and compliance should be part of the mandatory programme to close this potential gap.
3. what is the most unusual way hackers could access our data?
The idea behind the phrase “think outside the box” – comparable to “thinking outside the box” in German – comes from Norman Maier. The American psychologist defined the concept behind the phrase, which was used by many management consultants in the 1970s and 1980s, back in 1930, when he discovered that less than five per cent of students had this ability. They were so limited in their way of thinking that they could not see the proverbial wood for the trees.
It is therefore necessary to create an environment where innovation is encouraged so that teams can think outside the box.
4. are we addressing the most important threats – or just the most urgent ones?
The Eisenhower Principle, named after the former US president, is a way of categorising tasks according to urgency and importance: There are “two kinds of problems: the urgent and the important. The urgent are not important, and the important are never urgent.”
His decision-making principle was simple, prioritising only the urgent AND the important. Security teams should be guided by this – for example when prioritising security risks in IT and OT.
About the author: Roland Stritt is Vice President Central EMEA at SentinelOne. (Photo)