What Driving Can Teach Us About Cybersecurity

Cybersecurity is still a young art compared to other business functions. The first CISO role only dates back to 1995, but CFO, COO, and others have existed since somebody figured that you could hand over small pieces of shiny metal in exchange for goods and services - in spirit if not in name. We are still learning quite a bit about how to do cybersecurity well, in both business and our personal lives. There are plenty of lessons and parallels we can take from an almost universal experience in America: driving.

We Don't Get To Pick Who (or What) We Share the Road With

There are trucks, sports cars, bicycles, pedestrians, and even the odd unicyclist. (No, seriously, saw someone last month, honest!) There are coal rollers, EVs, high performance machines, and rust blobs being held together with strong will and hundred-mile-an-hour tape. There are professional drivers, new drivers, daredevils, jerks, and drivers past their driving prime. There are even AIs doing at least some of the driving. Intoxicated drivers are out there too - and don't pretend that intoxication while computing can't lead to security issues too.

We have the same thing on the Internet. There's the home user who upgrades their firewall/router annually, and that person's neighbor who's hardware is so old the cheap plastic that started off beige has moved all the way through yellow to worryingly dark brown. Whose ventilation ports are so full of dust bunnies you'd swear an actually animal will spontaneously come into being with luxurious fur to make a mink jealous. There are professionals who know you don't click on that link, and there are new users for whom every link is just a new adventure to try out. There's corporations still running Windows Server 2003, and there are others who actually contribute to the Linux kernel and update daily. There are the daredevils, riding their proverbial motorcycles as they weave in and out of traffic, driving on the lines between lanes while traffic is flowing at 60, not wearing a helmet.

At Least Half of Drivers Are Below Average

That's what average means after all - that half of something is above the average and the other half is below it. So, too, go cybersecurity programs. A question worth pondering is: do above average security programs experience breaches? Of course they do. So what about below average security programs?

What's even worse is that per AAA, 73% of US drivers believe they're above average drivers. Somewhere between 23 and 77% of drivers are wrong about that.¹ The point isn't so much about the specific math, but that people often over-inflate their own skills and capabilities. Also, merely being above average doesn't necessarily mean you're "good," it just means at least 50% of people are worse at a thing than you are. What this tells me about cybersecurity is that we need to "drive defensively," on the road of cybersecurity. This goes beyond "zero trust" models, and really tells us we need to be extremely careful who or what we share our information with.

Unsafe Vehicles Impact Us All

That car with no working brake lights, the one that belches a blue smoke cloud behind it while idling at the stoplight, the truck running so rich it backfires every time the driver lifts off the gas, the semi about to blow a tire, or the car with the alignment so far off that it tries to hook worse than my woods do off the tee² - those all make driving unsafe even if you're in the latest Volvo with the 37 star crash rating, automatic braking, and everything else they could cram into that state-of-the-art station wagon.

Every SOHO router that gets recruited to a nation state botnet, every open source packaged corrupted by a malicious actor, and every enterprise software package running past it's EOL date is a risk to all of us.

Consistent Traffic Laws and Enforcement Makes Driving Better and Safer

Anywhere in the US the basic traffic laws are the same - you stop at a stop sign, you go on a green light, you can usually turn right on a red light, and if you can't it is posted. Speed limit signs use the same shape, colors, and fonts. Having the confidence that the person who blatantly ran the red light and plowed into your car will get ticketed is part of what makes the system work.

In cybersecurity however, we have significantly different laws depending on what sector you're in (healthcare, finserv, etc.) and what jurisdiction your customers are based in. Publicly traded companies have different requirements to live up to compared to private companies. And if your customer is the federal government you've got still other requirements. We're also extremely fuzzy on what the penalties are for violating cybersecurity regulations. Is it any wonder that organizations argue for the minimum possible interpretation of requirements, or that it has proven difficult to hold them accountable in most cases?

Be Prepared For Changing Conditions

It seems to be just logical to not try to cross the Rocky Mountains with summer tires on your car. Some of those passes are high enough that snow and ice occur even if a few thousand feet lower it's a balmy day. Even F1 has two types of rain tiers in the pits at every race - even the ones in desert climates. How many of us have that umbrella in the car just in case? How about an emergency blanket? The snow scraper/brush just stays in the car year round? Maybe the jug of wiper fluid in the trunk? We all prepare for changing conditions in our cars to our own personal expectations. Sometimes that's adequate, sometimes you have to brave it to the nearest auto parts store for new wiper blades by sticking your head out the side window.

In about 2020 the security landscape changed when Ransomware became the bane of organizations everywhere. Many companies who assumed cybersecurity breaches were about accessing their customer data were caught flatfooted at the idea that cyber criminals would hold their ability to do business hostage. What changes are coming next that will catch organizations by surprise?

Crashes Happen, Even To Good Drivers

You drive defensively. You follow the rules of the road. You signal your intentions. You still swerved to avoid that idiot who just cut you off and ended up over the curb and into a light pole. Sometimes a crash is about avoiding the bigger incident. Sometimes it is just dumb luck. Sometimes it is because you glanced down to change the radio station. You can be a very good driver 99.9% of the time, but you were feeling a little drowsy today. Fortunately your car has seat belts, airbags, automatic braking, and other safety features to help when something does happen.

Good cybersecurity, just like good driving, needs to include continuous attention to detail. And a little luck. Zero days are zero days because the attack can happen before anybody knew the system could be attacked that way. That's why layering defenses is critical. That's why monitoring for the unexpected is so important.

Your car insurance card (if you still carry a physical card) probably has some steps on it for what to do in case of a collision. Do you have those steps figured out for your incident response plan? Are they as easy to get to as a card in your glove box? Are the instructions clear and unambiguous? Can you follow them?

Just Because You Weren't Part of a Crash Doesn't Mean You Aren't Impacted

The Mythbusters were able to demonstrate how a single driver making a panicked or selfish move in traffic can build a traffic jam for miles behind them, if traffic is dense enough. Then there's the actual crash that happens ahead of you in traffic. Sometimes that crash you weren't a part of is just something you shake your head at a moment later as you drive by. Other times you're going to miss your flight because you're stuck for hours.

Supply Chain attacks are a bitch. That SIG questionnaire you make your vendors fill out didn't really mean a damn thing when gasoline wasn't flowing to the entire southeast in 2021, or prescriptions couldn't get filled in 2024, or car dealers can't finish their paperwork in 2024. MOVEit and Solarwinds weren't even on your list of concerns because, well, you don't use either of them, yet your world was impacted when both were compromised because they're hidden in your supply chain somewhere.

Just like with a car crash, do you have the plans or tools (maps, GPS, and traffic reports) to avoid or minimize the impact of those events?

Fault Doesn't Immediately Matter

Your insurance company will tell you to not admit fault at the scene of a crash. Emotions run high when a collision occurs. Last collision I was involved with, the other driver jumped out of their car and started yelling at me about why I was crossing lanes in the parking lot like that!³ My initial instinct was to argue with them about fault, but that wouldn't have mattered.

Hit and run's are a little different - you want to try to get a license plate number or a description of the perpetrator, but even that is often secondary.

First responder training teaches you that your first duty is triage: is anyone hurt, are they in danger of becoming more hurt, what needs to be done to stabilize them. Fault/blame isn't the first priority. In fact it's pretty far down the list, right up there with arguing with the insurance company over whether or not they should be springing for the luxury rental instead of the Yugo while you're without your vehicle.

Weirdly, in cybersecurity we focus a lot on attribution. It was Wascally Wabbit, Twisting Tornado Devil, or Discombobulated Duck! The government of Freedonia sponsored this attack! Outside of the FBI and international law enforcement, how is figuring out fault going to do much for you when an incident occurs? Mind you, root cause analysis is a great thing for later in the process, not while you're in the thick of the incident.

Regular Maintenance and Inspections Are Key

There's a school of thought that every time you get into your car you should walk around it and do a visual inspection. Any new dents or scratches - get a police report before you leave that parking lot. Tires look good? No busted lights? Got all the snow off the roof?⁴ Your owner's manual tells you how often to rotate the tires, change the oil, check the brakes, and a whole slew of other things. Keeping a car safely operating can be the difference between a routine drive and, well, lots of other outcomes. Monitoring gauges like the fuel gauge, engine temp, and oil pressure are important while running the vehicle to ensure your drive is safe and uneventful, and you don't do expensive damage to the car.

Some maintenance you can do yourself, some you can do if you're well versed, and some you really should just leave to professionals. Yes, there's a place for shade-tree mechanics, and a place for factory certified mechanics. Some states mandate periodic inspections by authorized 3rd parties to be sure your vehicle is road worthy. Some don't.

Cybersecurity is no different in these respects. Patching, regular replacement of aging systems, and continuous monitoring are all critical. So, too, are inspections. Red team assessments, application security assessments, tabletop incident response exercises, risk assessments, controls assessments. Compliance assessments as well. Continuous SecOps monitoring and tuning is extremely important - kind of like a dual-carb engine that needs to be tweaked often for best performance.

We know what happens when you ignore these on your car. The same things happen when we ignore them in our cybersecurity world. The difference in ignoring them is that you can generally find an alternate form of transportation in a pinch - there's no alternate cybersecurity solution just a rideshare app away.

Driving Off Into the Sunset

Just as car insurance is no substitute for safe driving, your cybersecurity insurance can't prevent you from having an incident. It's no substitute for poor cybersecurity behaviors as you pull into Internet traffic with all the other drivers. But if you apply some of the same concepts to cybersecurity that we apply to driving, well, you've got a shot at avoiding the worst of it. That's a pretty good place to drive off into the sunset from.

¹ If no more than 50% of anything can be above average (by definition) then 73-50=23, at least 23% of people are wrong. On the other hand, maybe only 23% of the respondents who self identified as "better than average" are right, and then the other 50% who thought they were are wrong. However, that means the remaining 27% who didn't consider themselves better than average drivers were also wrong, meaning 50+27=77% of drivers are wrong about how good they are. The number is most certainly somewhere between those two extremes

² I don't golf, but I'm not letting that get in the way of a snappy turn of phrase.

³ I wasn't and I had the dashcam video to prove it, but mentioning that wasn't going to get anything useful done. Fortunately logic won out over emotions for me in that instance.

⁴ My winter driving pet-peeve is people who can't be bothered to get the snow off the top of their car and who cause a white-out as they accelerate away from every stoplight. Yeah, it's off topic. It's a footnote!