For too long, the culture of cyber security has been dominated by FUD (Fear, Uncertainly and Doubt). Freakyclown and I talked about this for our 2018 Bsides Leeds opening keynote. This is a cynical and pessimistic place to be and alienates the very people we are often trying to engage with: board members, co-workers, friends, family and the general public. Much of our industry is occupied with finding flaws and identifying problems, which is obviously inherent to what we do and hugely valuable. However, that arguably contributes to a negative mindset and culture: we see how 'broken' the internet is, and how prolific attacks are, and it's understandable that a sense of inevitable doom and gloom prevails.
Most people think the world is worse than it is (see the work of Hans Rosling, Ola Rosling and Anna Rosling Rönnlund in their book Factfulness and website Gapminder) but are wired towards being optimistic about their own, individual life (see Dr Tali Sharot's work on The Optimism Bias). I believe these mindsets feed into the cyber security community's tendency towards pessimism, and into the average person's sense that they will never be the victim of cyber crime.
Humanity has tackled greater problems than cyber security, and has been extremely successful in doing so. We understand that there is no such thing as 100% security, and in fact that security is a process rather than an end-state. I'm not arguing that we should deny the many challenges we face in terms of cyber security, but rather that we acknowledge the progress we have made in a relatively short space of time, that we are a young industry and so inevitably we have a lot of work to do, and that we will continue to see progress, achievements and success. Hans Rosling argues that a better term than optimism is possibilism:
“As a possibilist, I see all this progress, and it fills me with conviction and hope that further progress is possible. This is not optimistic. It is having a clear and reasonable idea about how things are. It is having a worldview that is constructive and useful” (Factfulness, p. 69)
I have spoken about optimism (perhaps I should have called it possibilism) and cyber security for a while, especially in my presentations over the last couple of years, and gave an entire talk on the subject as the opening keynote for Bsides Scotland, Infosec in the City and the (ISC)2 Security Congress in 2018. In preparing the talks, I was looking for a timeline of cyber security achievements, but no matter how much any of us at Cygenta looked, we couldn't find one. There are plenty of timelines of attacks (which are very helpful), but seemingly none which show the flip-side. Until now.
We have started building a timeline of cyber security achievements and you can see the first version below. We have a plan to develop the timeline a great deal, but with everything like this we are fitting it into the margins of work, so we hope you will be patient and supportive with it's development. There are undoubtedly many gaps on this timeline (which is a good thing! We have achieved a great deal as a community) so please tweet us @cygenta (or you can email firstname.lastname@example.org) with any achievements / positive milestones that you think should be included. Thanks!