What is a Cassandra? In Greek mythology, Cassandra had the gift of prophecy, but was cursed by Apollo that her predictions would always fall on deaf ears. What does this have to do with cybersecurity? Many times we see this play out with an organization’s leadership when it comes to warnings about proactively protecting data.
Why are the IT Cassandras so often ignored? According to theories in the book “Warnings: Finding Cassandras to Stop Catastrophes” by Richard A. Clarke and R.P. Eddy, there are several correlations we can make:
- Character of the one sounding the alarm – In the IT correlation, it is less often the character and more often the fact that the IT person is an internal resource, and therefore their warning may be viewed as merely an opinion or a way to justify their role or spending on a pet initiative.
- Threat magnitude – Sometimes the magnitude of the threat is difficult to comprehend. If the organization has not experienced a cyber incident in the past, the C-level and Board may have difficulty processing the threat due to what the authors refer to as “first occurrence syndrome”.
- Pride/beliefs – The executive or management team may have their own beliefs, pride, and possibly another agenda that takes precedence over the warning.
The authors warn against dismissing your Cassandras, and offer the following steps:
- Don’t simply dismiss warnings. Consider the source, their reasons for sounding the warning, the possibility that it could be true.
- Ask for supporting information. Why does the person sounding the warning believe it to be true? What is the evidence to support the belief? What metrics can be gathered?
- Prove or disprove. As the steward of the organization, it is ultimately up to you to protect it, and the data you are entrusted with. If needed, get an outside opinion from a cybersecurity firm to help you understand the evidence and your level of risk.
If you can’t disprove the threat, it could be real. And you don’t want to be the one who didn’t heed the warning!