Outcomes/Deliverables
The outcome was a list of characteristics that describe the cyber security industry and the problems within it. This was sourced from everyone in attendance.
Synopsis and Takeaways
The list of characteristics is below:
- Adversarial
- Arrogant - Security knows best
- Asymmetric between us and adversary
- Auditors as adversaries
- Auto-didacts - self-taught
- Blame culture
- Breach fatigue
- Built-in feature
- Career paths undefined
- Constant Evolution (speed)
- Direct opponent to progress of other business areas
- Eternal, the game doesn’t end
- Expert-driven, technical experts
- Failure seen as normal
- Fear-motivated
- Fragmented ( many different types of role? )
- Hoodie, public perception is incorrect
- Idiolect - it’s own language and jargon
- Idiots – Ignorance, unreceptive
- Imposter syndrome
- Inter-dependency
- Lack of comparative data to judge who is winning or losing
- Lack of diversity in participants
- Lack of immediate reward / results for effort
- Lack of knowledge
- Media presence, in the public eye
- Mystical (it’s not when learnt or explained)
- No initiates or apprentices
- Optimisation Game
- Political
- Poor P.R.
- Reactive - response to attacks
- Secret club, barriers to entry
- Transparent Success, no obvious indicators
- Ubiquitous - affects all
- Untouchable adversaries aka “APT bullshit”
Identified Questions
- What do we do with this list?
- How can we make this list useful?
Important Conclusions
- There are many characteristics to the industry, especially when it is vaguely defined with the aim of encouraging brainstorming.
- There is a much greater interest in this analogical approach than the organiser originally expected.
- Expecting to define characteristics in a single word or phrase was overly optimistic. I suggest we work with what we have for now, but this approach should be modified in future.
Working Materials
A list was made on the available A3 sheets as work progressed, including the following:
References
N/A
Additional/External References
N/A