You May Not Know It, But You Are Cassandra
The cursed prophet resonates with cybersecurity people more than they ever realized.
![Cassandra Cassandra](https://substackcdn.com/image/fetch/w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F38ccd78a-0977-466b-95c4-4841b867eba0_511x514.jpeg)
The myth of Cassandra has interesting parallels in a cybersecurity context. For those who didn’t study Ancient Greek like me (Κασσάνδρα!) or are not attuned to Greco-Roman mythology, here’s the condensed version: Cassandra was a priestess in Troy. In many versions of the myth, the god Apollo took a fancy to Cassandra and gifted her with the ability to see the future. When she spurned his advances, he added a curse that no one would believe her prophecies. This did not turn out very well in a lot of cases.
Security Resonance
Is there a theme here that resonates in cybersecurity? We are often expected to raise issues, but are often ignored or at least feel ignored. So how can we avoid being modern day Cassandras?
We should take time to position and explain what we mean in business terms. Very few, if any, businesses are driven primarily by security. Security types need to be realistic and not expect all recommendations to be taken in their entirety and 100% implemented. I do not expect companies to put security first, but rather to integrate security into their plans as best they can. This requires a security roadmap that is aligned with the business roadmap. Tailoring security goals to the stage and maturity of the business is essential in putting this in place.
A Culture of Security
Building a culture of security from the ground up and the top down allows everyone at a business to participate in security. My friends at MIT CAMS have interesting things to say about building security culture in organizations of all sizes. People implicitly follow the lead of the CEO and other executives at companies of all sizes, so there should be an extra emphasis there. A CEO looking for a “special dispensation” not to use two-factor authentication is not sending a terribly good message at all. Board members should be asking their executives how they set a good example in cybersecurity and other areas (ethics, anyone?).
Once again, I thank the SEC for raising the visibility of security at the board level and am hoping that this will filter down through organizations. Let’s also acknowledge that security culture comes from the bottom up as well. The decisions and careful actions of individuals in any company can and do spare it from security incidents.
I feel obligated to note that putting security front and center does not mean saying “we take your security seriously” after every breach and then not doing anything. Maybe we should be using the other classical language and saying “mea culpa” instead.
Thanks
Thanks to the BBC and researchers at Pompeii for making me think of this topic. It seems ancient mythology’s many stories are often all too relevant today. Are there any others that resonate in cybersecurity for you?