If you’ve been in the cybersecurity profession for any length of time, you’ll have heard (or said) the old chestnut about two hikers who run into a bear on the trail. One hiker immediately takes off his hiking boots and puts on his running shoes.
The other hiker points out that even with running shoes it’s impossible to outrun a bear, to which the hiker with running shoes says “I don’t need to outrun the bear — I just need to outrun you.” The lesson being that an organization’s cyber risk program doesn’t have to be the best — or even particularly good. It just has to be better than the one next door.
The lesson is wrong — dead wrong — for several reasons. First of all, in the cybersecurity context there isn't just one "bear," there are thousands of them, and these bears aren’t necessarily satisfied with “eating just one hiker.” Your program may be “better” but if it’s vulnerable there will still be plenty of bears eager to have it for lunch.
Jack Jones is Chairman of the FAIR Institute and creator of the FAIR model for quantitative analysis of cyber and technology risk. Read more blog posts by Jack.
Another reason the lesson doesn’t translate to cybersecurity is that some bears simply prefer certain types of hikers. You may be faster than the other guy (or gal) but if you look or smell particularly appealing you’re still going to end up being a bear's lunch. Many of the most sophisticated (and damaging) threat agents select their targets for very specific reasons.
A third reason not to like this fable is because it implies that benchmarking your organization is of primary importance. Look, I get why organizations like to benchmark themselves against others. Humans are in a sense herd animals, after all. The problem is, benchmarking is a relative measurement that by itself tells us very little about the actual efficacy of a cybersecurity program. That said, relative measurements like benchmarking can be very useful when they're based on truly important measurements. Just be careful not to assume they represent more than they do.
A final reason I wish people in our profession would quit citing this fable is that it demonstrates a significant lack of critical thinking and a willingness to accept/adopt principles that don’t stand up to examination. We can do better.
FAIR Institute’s Maturity Survey Results Suggest Where Your Organization Can Improve on Cyber Risk Management
SC Media honored the FAIR Institute as one of the three "Most Important Industry Organizations of the Last 30 Years" at the 2019 SC Awards ceremony. Join us!