Allow me to set the scene. It was Father’s Day 2015. I had just come from the barber shop and I met the family outside of a restaurant for dinner. Up this point it had been a great day, jet lag notwithstanding. We were taken to our table and were seated by the window. My kids immediately took it upon themselves to drive my wife and I completely up the wall. So, business as usual.
As we perused the menu and begged our son to stop throwing salt shakers, I noticed that we had been joined by some uninvited guests. Three flies had decided that, of all the tables in the restaurant that ours was apparently the table to be at, much to our chagrin. They executed all manner of aerial acrobatics and I tried my best to ignore them. Finally the server drops by to see how we are doing. My wife makes a veiled comment about the air show and the server wanders off to see what can be done about it.
I had expected no resolution as this was a restaurant on the water and the doors were open to the outside for the patio. The server returned to inform us that they had closed the doors so that the flies could no longer get into the restaurant.
I had to scratch my forehead and wait for a moment to see if the obvious issue at hand was to be addressed. When no response came I asked, “What about the present dinner guests?” I received a pronounced shrug in reply. The problem remained but, there was a reduced chance of it getting worse.
As we were left to fend for ourselves I realized that this is a situation that I had lived through many times in my career. There were many occasions where the prevailing security issue of the day was overlooked and a tangentially related problem was addressed instead. Why is it that so often security discussions get mired in the “shiny” aspects as opposed to the addressing the problems that require it?
I munched on my leathery steak and pondered this point.
Often I get asked questions about 'what if' scenarios that will negatively impact operations. But, every once in a while I will get the most outlandish Dunning-Kruger level posit. I recently had a conversation with someone where they were convinced they were under attack from $country because that’s what their $tool had alerted them on an apparent attack. I asked some probative questions as to the level of tuning they had implemented. The alerting mechanism was running with a default configuration. But, this person was so sure they were right that they were incapable of allowing that, in the face of mounting evidence, they might be incorrect.
This person was focusing on the wrong thing entirely. Rather than peel back the covers to see what was the issue they were happy to accept what their appliance was telling them. A troubling problem that plays itself out on a daily basis around the world. Organizations need to have the wherewithal to examine what the real risks to their environment are and take steps to address them.
When the flies are buzzing around your office, don’t go out of your way to prove the Dunning-Kruger effect by closing the door. Examine what the real risks are to your enterprise and work on addressing those as opposed to getting lost worrying about issues that do not really concern you.
Originally posted on CSO Online