“The opposite of hope is despair, and when we despair, it is because we feel there are no choices.”
– Warren Bennis
Cybersecurity is a field where the stakes are impossibly high. MSS Director Brodie Downes shared his experiences navigating sleepless nights and the psychological toll that comes with defending against relentless cyber threats. In a landscape where defenders must be right every time, while attackers only need to succeed once, security professionals are constantly on edge, their minds always ‘running.’
Brodie, who has extensive experience with the Department of Defense and state policing, emphasised how these high-pressure environments transform the understanding of cybersecurity – from a compliance-based task to life-and-death risk management. His insights shed light on the emotional and mental toll of the profession:
- 77% of Cyber Incident Responders report a strong sense of duty to help and protect.
- 81% experience heightened psychological demands due to the nature of incident response work.
Watch the full presentation below or read on for Brodie’s insights on improving your cybersecurity strategy.
The Fallacy of Historical Information Security Thinking
A threat is not going to be defeated as a result of deploying a capability but the application of a capability.
Traditional approaches to information security often emphasise broad capabilities in people, processes, and technology. However, Brodie highlights the need for a shift in perspective – these elements should serve as tools to implement specific countermeasures against clearly defined risks. This creates a tangible link between strategy and the risks being mitigated, ensuring efforts align with organisational priorities.
Using an analogy, Brodie compares a ballistic vest’s purpose (protection from bullets) to the function of a firewall. While a firewall doesn’t “protect from threats,” it can restrict traffic from point A to point B. The distinction underscores the importance of understanding and applying each tool’s specific purpose.
The challenge with generalised compliance frameworks is that they often fail to translate into risk-specific actions. This disconnect makes justifying ROI difficult in terms of the business values. Brodie humorously compares this to how we handle hunger: if we tackled hunger like InfoSec risks, we might prioritise buying the whole farm over ensuring we had actual food to eat.
Reframing the focus from compliance to actionable risk management enables organisations to achieve clearer, more impactful security outcomes.
Applying this analogy to a real life example of a project that involved compensating controls, Brodie talked about an incident where an application was designed without Multi Factor Authentication (MFA), and in the process of uplifting that app, the options raised had security problems which in turn needed to be solved, when in fact, a capability already existed within the organisation that was not considered.
Maximising Existing Technology Investments
Thus going back to People, Process, and Technology, when an architecture is well designed, the capability follows, and an organisation might even have multiple capabilities flowing from the same investment. Conversely, security initiatives that are capability-driven may not be an efficient use of existing architecture, and the lack of synergy leads to a waste of resources.
Brodie then advised on linking the already-established capabilities with cybersecurity countermeasures in order to demonstrate a meaningful return on the investment on the security programme. These countermeasures should be defined, structured, and managed such that the organisation maximises the utilisation of each solution or tech, rather than having more solutions but underutilising each one.
Don’t buy the farm, buy the burger.
At the end of the day, a security programme’s expense should be justifiable to the CFO, and a good way to do that would be to ask key questions, to link security initiatives back to organisational business objectives:
Capabilities
- Do the capabilities actually prevent threats?
- Are the capabilities actually being used as countermeasures?
Countermeasures
- Will the security countermeasure move the needle?
- Will the countermeasure add direct value to the organisation’s bottom line?
- Will the countermeasure actually impact the people within the organisation?
