The Pop Music that is Modern Cybersecurity

My biggest problem with pop music is the same problem I have with modern cybersecurity: the media keeps falling for some hack trying to get five more minutes of fame for something that’s really not worth our time.

Personally, I love good research that shows how a set of well-orchestrated tactics can expose and take advantage of a vulnerability. I like it less when it’s the same research from last year applied to a new thing. I like it even less when that new thing isn’t new, it’s just a thing that happens to be risqué.

Just like new pop songs that sound a whole lot like last year’s pop songs, but now talk about something a little dirtier or reveals some dirt about a popular entity that we all liked. Especially when that song is recursively dishing dirt on the singer themselves. (Seriously, how many songs do we have to get each year about how tough it is to be a pop star?)

Dancing In the Dark (Web)

It turns out modern cybersecurity has a lot in common with pop stars. For one, it’s too easy to make it big with just a little skill and a lot of confidence because you have software that can do all the work for you. Vulnerability scanners make the auto-tune voices of the security space. And the same self-confidence you need to try to convince the world this vulnerability you discovered may be the end of the Internet as we know it is also the same you need to wear a full-body, raccoon-fur leotard on stage in front of 10,000 people.

Besides that, there’s also a lot of congruity with the bad side: the constant demand, the sleepless nights, and way too much responsibility over things that have nothing to do with your actual job, like how pop stars are required to attend benefits to promote social good or act as role models, do interviews, or answer fans on Twitter - which is the equivalent of cybersecurity professionals doing patching and security awareness training.

Since I see you’re perplexed at why I said that, I’ll take a moment from my pop star simile here to say a few words about that. Patching needs to be part of IT maintenance because it needs to be part of change control to systemically make sure patches don’t affect operations.

Security awareness needs to be part of HR because it’s about people making better decisions. Who usually hands out the employee security policy? HR. Why? Because they deal with people.

Another Brick in the Firewall

When a company needs to do workplace harassment training, do they leave it to the cybersecurity team? No, it’s done by HR. It wouldn’t even occur to them to involve IT, despite the fact that a good deal of it is happening over the corporate network. That’s because they see it as a human issue. And it is! Just like security awareness is a human issue dealing with human vulnerabilities like distraction, pressure tactics, peer pressure, and manipulation.

Who usually answers calls to reset passwords? IT. Specifically, the helpdesk that IT oversees. Why? Because it deals with networking operations.

Look, when IT answers phone calls from people, they don’t pass the call first to the security team - after all, it could be fraud. Additionally, a large percentage of calls could be about logins, passwords, blue screens, and many things that could point to a security problem.

But they don’t give it to the cybersecurity professionals because those things are essentially operations, part of productivity which falls under IT maintenance. The helpdesk may be required to follow guidelines from the cybersecurity department, but it isn’t handled by them directly.

Enough distraction. You totally threw me off my point now with your needy neediness. So back to the topic. Pop stars. Cybersecurity. Could they be any more similar?

And now - on to my big finish!

I'm Too Sexy For My (Helpdesk) Shirt*

One thing people say (and by ‘people’ I mean Reddit) that the invention of music videos ruined a lot of potential careers as great singers were at a disadvantage if they weren’t also sexy. Now many of us can find exceptions to that rule, but as an expert both in human nature and in being sexy, I think there may be some truth to the idea that the masses might be somewhat shallow about the level of sexiness required from their pop stars – and similarly in cybersecurity.

Except in cybersecurity, that sexiness is less about the shallowness of looks and more about the brand that you are representing.

So, if you are the security employee at a brand that the masses find sexy, then people are more likely to listen to you. And yes, you can find exceptions, just like with pop stars. And yes, there are people who find Microsoft sexy despite the Windows ‘95 launch party, which, while cringe-worthy today, still does have a certain nerdy charm about it. For someone anyway. If you’re into that kind of thing. 

You know what you call even the worst cybersecurity employee at Microsoft or Amazon or Uber or Snapchat or BMW or Google or Starbucks? The keynote presenter.  And not because they can tell the masses to cyber-hygiene better than you could, but because they can put that hot and sexy logo next to their name.

So that’s it. Chew on that for a while and then think to yourself, “Man, that guy’s brilliant - if only he were sexier I would actually listen to what he has to say.”

With that I’ll be like those horrible pop songs they don’t know how to end so they just fade away, theoretically never ending as they get quieter and keep going and going and going…


(*Thanks to the Cylance Research Team for supplying these great infosec song-title puns – check out the others they came up with here.)