Cybersecurity memes on social media are often good for a laugh, but several of the more popular ones have gained resonance with security professionals for a reason – they often speak to true (and painful) industry realities. Here are five cybersecurity memes that have made the rounds on social media recently – and reasons why you might want to pause your scrolling to give their deeper meaning some thought:
1. “Hide the Pain Harold”
How many security tools are in your company’s security tech stack? Are all the tools used to their full potential? Do you have enough people on your team to run the tools that you purchased? If you answered “No” to any of these questions, you’re not alone. It is estimated that up to a third of security software purchased sits on a shelf unused, and this trend does not seem to be changing anytime soon. Remember that you can’t “automate” security with a tool. You’ll always need time, resources and organizational support to configure, manage and optimize every new tool that you buy. Don’t fall into the trap of wasting money on security tools that you’ll never use.
2. “High Five Drown”
When a major breach or security incident happens, what do we do as a community? In my experience, we very happily throw each other under the bus, pointing fingers and shaming the victim for not doing enough to prevent the breach. But here’s the thing. Every company that has a major security breach also has a security team, and that security team is protecting and defending to the best of its ability, just like the rest of us are. Breaches happen to even the very best security teams. So instead of pointing fingers and victim shaming, we should be offering support, advice and guidance. We should want response teams to get through the incident as quickly and smoothly as possible. After all, who knows? Maybe one day, it’ll be your company that needs the help, and you’ll want the community on your side, not against you.
3. “See Nobody Cares”
It can sometimes seem as if we exist inside an echo chamber when it comes to “infosec drama”; nobody outside of infosec cares about zero days, critical vulnerabilities or massive security breaches quite like we do. Of course, there are many reasons for this, including breach fatigue, but in my opinion, our community does not reach outside of our “infosec bubble” very often. We don’t win hearts and minds for security, we don’t make allies and friends, and we certainly don’t help people, especially fellow business people, fully understand that security is a shared responsibility. I personally believe this is why we continue to have breaches – security is unable to make security a concern for anyone besides ourselves. And if we ever want that to change, we must start by changing the way we work with others, and reach across the aisle with a healthy dose of empathy, humility and respect.
4. “Distracted Boyfriend”
With an estimated 6,000 cybersecurity vendors out in the world, the information security community is often distracted by “shiny” things – IDS/IPS, WAF, SIEM, EDR/XDR, FIM, etc. – that we tend to forget to work on the basics and fundamentals of our profession, like patching, enforcing strong passwords and multifactor authentication, and user awareness.
According to the recently released Data Breach Investigations Report by Verizon, social engineering (phishing) ranks as the top root cause of a data breach; the more advanced attacks, like Remote Access Trojan (RAT) attacks, rank at the very bottom! Your company is much more likely to get breached due to social engineering than a zero-day attack. Yet we buy shiny objects to prevent the complex attacks, not understanding that the real threat is right in front of our faces. Our priorities are all wrong! We need to spend more time doing the basics because that’s where the threat is.
5. “Bike Stick in Wheel”
There are hundreds of thousands of unfilled cybersecurity jobs in the United States and millions of unfilled jobs around the world. According to ISACA’s 2022 State of Cybersecurity report, close to 70 percent of cybersecurity professionals feel that their teams are understaffed. And because over 85 percent of these job openings are for the mid-senior to senior levels, there simply aren’t enough qualified candidates out there for us to hire. So, what do we do? Instead of growing a security workforce from the ground up, we poach people away from other security teams! We need more people in cybersecurity, and we need them now. Because the entry-level people that we hire and train today become the senior-level professionals that we need fighting our battles tomorrow.