Cybersecurity headlines scream of sudden breaches and advanced persistent threats, making it seem like these hacks take place overnight, out of nowhere, without warning.
The truth is that these incidents are often the result of a gradual erosion of good habits and security practices over months, if not years.
The analogy of “getting hacked slowly” struck me while reading Peter Attia’s book, Outlive, which emphasizes the importance of improving “healthspan” rather than just “lifespan.” The premise of the book covers how modern medicine has helped us live longer but hasn’t increased our quality of life in those extra years.
In one of the final chapters of this book, the one that hit me the hardest, Attia introduces the concept of individuals essentially “killing themselves slowly.” This phrase and the theory behind it were so impactful that I initially considered it as the title for this piece.
While I will undoubtedly explore that topic in the future, for today, I wanted to keep the focus on information security. Not sure how ready I am to dive into the profound inquiry of whether or not some of us have unwittingly given up on life.
The central idea behind “killing yourself slowly” is that even if someone ultimately succumbs to a heart issue or an overdose, the genesis of that demise often (not always) traces back to a much earlier moment in time.
Attia theorizes that many individuals grappling with drug addiction are, in fact, mental health patients - despite overdoses being characterized as accidents, the same category as car crashes.
Some pivotal event in their lives propels them towards the path of substance abuse, leading them to relinquish any aspirations for a normal or healthy life long before the day of their overdose.
Oddly, I find myself drawing a parallel between this narrative and the world of data breaches. Why can’t I resist making this connection? I suppose I’m somewhat twisted like that.
The Deceptive Calm: Ignorance Isn’t Bliss
In infosec, things are never quite as quiet as they appear. In fact, for security teams, calm generally means you’re not watching closely enough.
But I’ve seen this happen many times in my career. The general vibe of the security team was, “Yeah, we’re probably already popped and just don’t know it.”. After all, it’s hard to keep up with the speed and ingenuity of threat actors these days.
In those same companies, though, the higher-ups confidently assure other stakeholders that there is quiet in the house and there is nothing to report. Detached from the nuance of boots-on-the-ground engineers, a board member might seem placated or even delighted by the calm. No news is good news, right?
Green numbers. Charts with arrows pointing up and to the right.
Many times these security teams are keeping very busy. Attentive and nervous C-suites read about vulnerabilities in the news and sound the fire alarms, causing their engineers to divert from the day-to-day game plan and start a game of vulnerability whack-a-mole instead.
These security fire alarms distract teams from building out their security practices to prevent and detect threats before they have unmanageable impacts.
All this to say, being busy doesn’t equate to being effective. It’s often a sign or symptom of a broader problem of inadequate vigilance.
Technical Debt
Having led security for early-stage companies, I can attest that there’s no such thing as a company without technical debt.
The proverbial “clean slate” is a myth, a dream, with no roots in reality. In the first 6 months of a startup’s existence, there is a graveyard of ideas and tickets already forgotten.
The “move fast and break things” mantra is one I can’t honestly say I disagree with, but because of it, we need to get this idea of “catching up” out of our mind. There is no finish line where your tech stack is clean, purring like a kitten, and with no major changes in sight.
What does this mean for security and getting hacked slowly?
Technical debt exists, but it doesn’t have to mean neglected areas of risk or translate into a pile of exploitable vulnerabilities waiting to be hacked.
I promise you we can make our mortgage payments on time while still brushing your teeth every day.
Daily security habits and hygiene will compound just as powerfully as the interest on that debt pile.
Priorities: Security Health & Hygiene
Attia talks about patient care; the measurements he takes and the tests he runs on the folks who come through his medical practice — even those without pre-existing conditions or concerning symptoms.
Many of these tests, he shares, traditional doctors don’t bother to run on patients who are seemingly “young and healthy.” Instead, they wait until dangerous diagnoses are looming, and finding a way back to baseline health is nearly impossible.
This is the whack-a-mole I mentioned earlier. Chasing the headline-making vulnerabilities that seem to have their own marketing and branding teams while ignoring some of the basics. The hygiene.
Let’s think like this:
Eating nutritious foods and going on regular walks is the equivalent of enforcing FIDO MFA and password managers.
Automating SCA into your CI/CD pipeline is your daily toothbrushing and floss habit.
Without beating these analogies to death, we shouldn’t major in the minors the same way you don’t wash down your daily multivitamin with a Big Mac.
Focus on the basics. Get them right. Then worry about the advanced tactics.
- Proactive Monitoring: Just like subtle changes in our health, the early signs of potential breaches or vulnerabilities often go unnoticed. But they’re there.
- It’s often a missed log entry, a slight anomaly in network traffic, or a seemingly innocuous script running in the background. These are the silent signals, the precursors to a potentially much larger problem.
- Layered Defense: Our bodies don’t rely on a single line of defense against disease and injury. We have skin, mucus, antibodies, and white blood cells, all working in tandem to keep us healthy.
- Similarly, a good cybersecurity strategy isn’t about having one robust line of defense but multiple layers that can detect, counter, and mitigate threats at various stages.
- A Lifelong Commitment: Good health isn’t just about not being sick; it’s a proactive commitment to well-being. Similarly, not getting hacked isn’t a point-in-time exercise.
Just as we invest in our health, we need to get secure slowly — understanding that it’s a lifelong commitment, not an overnight success.