580 words, Estimated reading time: about 4 minutes
If you are a soccer fan you may recognise who is featured in the above photo and the tragic story that followed. Let me explain for those who do not know what happened next.
The Colombian footballer, who played defence, pictured is Andres Escobar. Up against the United States on June 22, in Colombia’s second match at the 1994 FIFA World Cup, Escobar stretched to prevent a pass from American midfielder John Harkes. His timing was off which resulted in shock to the crowd, Escobar accidentally deflecting the ball into Colombia’s net.
The United States won the game 2–1. The news swept the world with headlines shaming Escobar. He was devastated; Colombia was devastated, but what was truly devastating was what happened next. In low spirits, Escobar returned to Colombia rather than visiting his relatives in Nevada, and on July 1, Escobar joined friends at a bar, liquor store and eventually a nightclub. Shortly after parting ways at around 3am on the morning of July 2, three men approached Escobar whilst he was in his car at the nightclub car park and shot him six times. After each shot, “Gol”, the Spanish word for “goal” was shouted. Escobar died 45 minutes later.
Escobar paid a hefty price for a failed attempt at prevention of his opponent’s goal, which resulted in him inadvertently placing the ball in the wrong goal.
Almost every organisation is “inadvertently placing the ball in the wrong goal” when it comes to thwarting cybercriminals. So what is the wrong goal?
Have you ever met a woman who is half pregnant? You may have met a woman who did not know she was pregnant, but clearly there are two states: pregnant or not pregnant. This is a binary state. Most organisations are chasing a goal of “cybersecurity”, but security is also a binary state. An organisation is either secure or it is not. We associate security with stopping or preventing breaches of confidentiality, integrity, or availability. To be secure means every breach must be stopped. I’ll give you two analogies to let the idea of security being associated with prevention sink in. Would you say that a bank vault is secure after it had been broken into? Would you say that a prison was secure if it was broken out of? The moment prevention fails just once, even though it may have been successful millions of times prior, the concept of security is lost, and you can be sure that prevention will fail in your organisation if it hasn’t already failed at least once already.
Chasing cyber security is the wrong goal. Let’s consider, hypothetically, if you wanted to achieve cybersecurity, what your organisation would need to do:
- The organisation would need to be disconnected from the Internet
- All employees would need to be fired
- All customers would need to go elsewhere to consume whatever goods or services you offer
- All physical and electronic information would need to be destroyed; and
- The memories of anyone who had access to any information about your organisation would need to be erased
Each of those is harsh, and not a business enabling task, but if you are hell-bent on cybersecurity, I really do wish you good luck with the last one!
Security is clearly the wrong goal, but stay tuned. In the next post we will explain what goal your organisation should be aiming for if it wants to put up a good fight against cybercriminals