Cybersecurity Is Art, Not Just Science
What?!? I know someone out there may stop reading this because it seems so absurd. But hear me out for a minute. What is art anyway? Check out these popular definitions and see if you wouldn’t agree that cybersecurity is art and science.
Art … a “skill” or a “tradecraft”
Prior to the 1800s, “art” was considered a skill, discipline, or tradecraft. This is why we refer to karate, tae kwon do, judo, and jiu-jitsu as “martial arts.” Hacking, forensics, threat intelligence gathering and analysis, social engineering, and many other facets of cybersecurity require years of hands-on experience and training.
Art … expression or application of human creative skill and imagination
Pen testing is the ultimate expression of applied creativity. Whether it’s making a restaurant purchase with your own credit card to slim down the number of possible files containing card data, or constructing elaborate spoofs, pen testers apply out-of-the-box thinking to elegantly get over, around, and through corporate defenses.
Art … creating visual, auditory, or performing artifacts intended to be appreciated for their beauty or emotional power
Hackers work hard. They do elaborate planning, testing, and exploring. So what’s more emotional for them than breaking through that last barrier … only to find a colorful artifact left by the blue team in that honeypot? Odds are some colorful expressions may also be worked into the fake payload. <Smile>
Defensive tactics that can truly lure hackers into this false reality are truly an art.
Art … something that reveals the essential or hidden truth
“We all know that Art is not truth. Art is a lie that makes us realize truth.” –Pablo Picasso
What’s more emotional for a CEO than having your team gut-punch you with the words “we’ve been hacked”? Perhaps only the addition that “you bit on a spear-phishing attack.” Cybersecurity reveals the harsh truth that so many of us are loath to see: We are all vulnerable to cyber attacks, and the consequences can be life-shattering.
When cyber teams award $100 to an employee who successfully calls out a person walking around without a security badge, or disclose that 17 employees clicked on a fake PDF file they circulated, it is a clear revelation of where our vulnerabilities truly lie. We need to not only worry about zero-day attacks, but also that a Trojan isn’t walking in the front door disguised as a “repair technician.”
We still talk about it today because when the truth of its vulnerability was revealed, Target had no idea the far-reaching impact of its breach. Third-party vulnerability is a truth we’ve been grappling with ever since it was revealed through that incident.
Arts and Sciences
At this early stage, cybersecurity may more closely resemble the School of Hard Knocks than a College of Arts and Sciences. However, when witnessing the creativity of pentesters or the wiliness of red team competitors, it’s hard to see their exploits as anything but dramatic and imaginative creative expressions. And what else is art?