If you have been in security for any length of time you have undoubtedly run into someone new to security who recently discovered Sun Tzu’s The Art of War and tries to (mis)apply Sun Tzu’s teachings to every security situation. It is not that The Art of War isn’t a good tome or that it doesn’t have valuable lessons, it’s just that it has been overused in security for so long (by myself included) that those who have been around for a while just roll our eyes when we see it.

At the risk of doing the same thing, I want to talk about the book The Scout Mindset: Why Some People See Things Clearly and Others Don’t by Julia Galef. In the book, Ms Galef looks at the differences between the Solider and the Scout mindsets and discusses how the widespread inclination toward the soldier mindset can cause problems in our personal, professional and organizational lives (this is an oversimplification, definitely read the book for more details).

As I read through the book, I was struck by how the problems she described repeatedly show up in organizations I talk to around cyber security in general, and in ransomware protection, specifically.

I want to start with a basic premise: We know, and have known for while, the steps that need to be taken to protect against modern ransomware attacks. While there are always little tweaks in the approach that attackers taker, the basic framework of ransomware attacks has been fairly standard for the last couple of years. Despite this, the number of ransomware attacks continues to grow and too many organizations remain unprepared for a ransomware attack.

I don’t think anything in the above paragraph is particularly controversial. Some of the disparity between what we know about attacks and how prepared organizations are can be explained by lack of budget and the procurement process. For example, I can tell an organization that they need to enable multi-factor authentication to protect themselves, but actually enabling multi-factor authentication is anywhere from a six month to a year long process for most organizations (and unlike Thanos in Avengers Endgame, the ransomware groups won’t wait for your slow motion entrance before they attack).

But, I also think that a lot of this can be explained by the Solider mindset that many cybersecurity organizations have (it certainly doesn’t help that information security as a whole has co-opted so many military terms). I was particularly struck by this passage in the book:

Beliefs crystalize in identities through the feeling of being under siege from a hostile world

Right now, it feels like cybersecurity teams are under constant siege, both from attackers and from the organization (reduced budgets, increased demands on their time, pushback against new security measures, etc). This type of embattlement can lead to an increasing adoption of the solider mindset which often leads to inability to admit when the organization is wrong, denial, self-deception and even wishful thinking.

I see this repeatedly play out in ransomware table top exercises, organizations that are clearly not ready for a ransomware attack, simply cannot accept the fact and make the changes that need to be made, because it would mean “admitting they are wrong” (though, I never try to play “gotcha” in tabletop exercises, I just want to uncover the truth, so there is no wrong or right, just the reality of how prepared the organization is).

Organizations that are better prepared for ransomware attacks are much more likely to have a scout mindset. These are organizations that are continuously changing and improving their security posture, based on testing of assumptions and acknowledgement of weaknesses. They are more interested in discovery, accuracy, and intellectual honesty.

This has to start at the top, with leadership that doesn’t take personal offense when improvements are suggested or weaknesses in security defenses are pointed out. The goal is to have an honest assessment of an organizations security posture and ability to defense against ransomware attacks and make changes accordingly. Importantly, that means having a true understanding of the risks and exposures the organization faces while improvements are being made and seeing if there are compensating controls that can be put in place to cover weaknesses. If there aren’t that still means providing honest reporting to leadership of weaknesses that attackers may be able to exploit and the likelihood of those weaknesses being exploited.

Being a scout is tough, running your cybersecurity organization like with the scout mindset can be even tougher, and it is important to do that without sounding Glum the Lillipution. Instead, you want always provide an accurate and reasoned assessment, no matter how difficult that is.