Your inner self

Image by Copilot

“The best inspiration comes from within.” That’s not a quote from Sun Tzu, the Chinese general from the sixth century BC, whose work The Art of War is quoted at every opportunity. No, we attribute this quote to one Patrick Borsoi from the twentieth century AD. Not Chinese, not a general, but – in all modesty – occasionally clever.

Readers sometimes ask me how I find inspiration for a blog every week. I usually answer that I observe my surroundings and often see something mundane that I can link to information security. Sometimes colleagues give me a tip, whether or not from their own daily lives. Now I’ve discovered something new: listening to myself. Literally.

I was a guest on the podcast of the KNVI, the Royal Dutch Association of Information Professionals. I was there to talk about the Security (b)log and more technical topics like phishing, AI, and quantum computing. The podcast went online on July 1, and of course, I was one of the first to listen to it. That’s quite strange, by the way, but everyone says that when they hear a recording of themselves. The point is that I heard myself say something I had never said before and didn’t even remember saying (the recording was made a month and a half earlier).

Marijn Plomp is the regular host of this podcast, and Sandra de Waart was his sidekick that day. Since my blog has security awareness as its overarching theme, Sandra asked me: “How do you actually make people aware?” Because, as she rightly pointed out, simply saying “be aware!” doesn’t help. I compared it to a traffic sign that gives a general warning of danger (a triangle with a red border and an exclamation mark in the middle). If you only see that sign, you still don’t know anything. Only if there’s an extra sign underneath, explaining what the danger is, you’ll know what to do or avoid. And here it comes. I said: “I try to be that extra sign.” By explaining why something is a risk, by clarifying it, you can make people aware. They need to understand it and even feel it.

Later in the podcast, I made a statement I’ve made more often: “I get paid to think in doom scenarios.” Just as there are people who get paid to play with Lego all day, I get to indulge in the question: what could possibly go wrong? While others revel in what a system, device, or method can do, I get to look at the dark side. That’s not always easy, as it can sometimes dampen others’ enthusiasm. Usually, that perspective on the error path is appreciated after all, because the final product improves by also considering aspects we’d rather ignore. That quote about doom thinking is, of course, a big wink, but it clearly and concisely shows that risk analyses are important – even if it’s just on the back of an envelope.

At the end of the podcast, I hear myself say that I need people as the last line of defense. Because if technology fails to avert disaster, if, for example, that one phishing email still manages to get through all the checks, then the employee whose inbox it lands in can make the difference between a healthy and a crippled organization. And with that last line of defense, we circle back a bit to Sun Tzu, who undoubtedly wrote something about that too.

Listen to the KNVI podcast. [DUTCH]