Fishing vs. Phishing: Cybersecurity Lessons from a Fishing Boat Captain
I’ve learned a lot of lessons during my time on the water, including a few that CISOs everywhere should take to heart.
When people ask me how I balance my work as a CISO while also pursuing my passion as a fishing captain, I tell them the truth: It’s easy. In fact, you might be surprised at just how much overlap there is between the two mindsets (“phishing” attacks got their name for a reason, after all). The only downside is there’s never enough time in the day to achieve both! I come from a long line of ship captains and harbor masters, and I’ve spent more than three decades captaining boats from New Orleans to Boston. I’ve learned a lot of lessons -- some the easy way and some the hard way -- during my time on the water, including a few that chief information security officers everywhere should take to heart.
Lesson #1: Control what you can control.
If you spend a lot of time in mother nature, you learn pretty quickly that there are things you can control, and there are things beyond your control. You can’t control the weather, or the wind, or whether the fish feel like biting. On the other hand, you can make sure your boat is well maintained. You can have redundancies in critical systems like engines and communications. You can bring backup rods. You can also make sure you’ve done your research. Do you know what fish are likely to be in the area, and do you have the right type of bait to catch that type of fish?
There are plenty of things you can’t control but putting the right amount of effort into the things you can control will make or break your experience. There’s nothing worse than being stuck in an electrical storm that was forecasted but you didn’t check and you’re now facing a multi- hour run home in big seas and driving rain. It’s also not a fun time when you have fish breaking all around you, but you didn’t bring the right tackle or bait!
Security is much the same. You can’t control when the next zero-day will emerge or how attackers will operate, but you can control your overall security posture and how mature your incident/vulnerability response practice is to respond to these threats. Attackers will always find ways to surprise you, but effective risk management starts with putting the right solutions and policies in place. There is no single “silver bullet” solution that can prevent every attack, but having strong detection and mitigation tools in place can keep you agile and gives you a certain level of control when combating ever-evolving cyber threats. Knowing your weaknesses and what mechanisms exist to mitigate them, whether it be retainers or MSPs or resiliency plans, will keep those surprises to a minimum but can’t completely counter them.
Lesson #2: You don’t necessarily need the “latest and greatest” technology.
Serious fishermen have a lot of fancy equipment at their fingertips these days, but a successful fishing trip doesn’t require much more than a rod and a reel. Of course, the equipment you have might limit what you can do: While it’s technically possible to spear a giant swordfish from a boat the size of a canoe like they used to off Martha’s Vineyard, there are a lot less challenging (and stressful) ways to catch a fish.
But the point stands, and it applies to security, too. A top-of-the-line sonar system can cost upwards of $300,000, but do you really need it? Well, that depends on where you’re fishing, and what you’re fishing for. It doesn’t matter how great your equipment or technique might be -- if the fish aren’t there, you won’t be successful. In the security world, having the right tools, and people who know how to use them, is a lot more valuable than always looking to buy the “latest and greatest” equipment.
The current AI market is a good example of this. Before you implement an AI solution, do you actually know how it works and how to maximize the benefits? You can have a huge boat equipped with the priciest fish finder money can buy, but if you don’t know how to use it, you’ll be going home hungry. It’s all about understanding where your strengths and weaknesses lie and making the appropriate investments to compensate. Spending all of your time and resources to mitigate risks in your lowest sensitivity environment is a lot like taking an 80’ sportfishing boat to a trout pond.
Lesson #3: Different vendors have different strengths.
Any fisherman will tell you that you can’t expect a single vendor to satisfy every need. There are companies that make incredible sonar solutions, but when it comes to radar, they lag the competition. On the other hand, companies that make top-of-the-line radar solutions usually don’t offer the best depth finders. You don’t need to break the bank, but you do need to find the solutions that make sense for you -- whether that’s one piece of tracking software or taking a holistic approach to outfitting your boat with a comprehensive system.
Security is no different. A company that provides high-quality identity solutions probably won’t have the same level of expertise when it comes to endpoint security. That expert deep packet inspection solution isn’t going to help you much when someone plugs in a USB drive they found in the parking lot. It’s important to know which tool is best for which job, no matter which area of your security posture you’re looking to strengthen. If you need an identity solution, look for a vendor that understands your business, your industry, and your specific needs. If you’re seeking governance, risk, and compliance (GRC) help, look for a vendor that can provide a holistic view of your digital ecosystem. Different areas of risk and security require different types of expertise, and you want to ensure that each vendor you work with truly understands your needs and can meet them.
Lesson #4: Learn and leverage what motivates people.
When fishing for specific species, it’s crucial to know their lifecycle, habits, feeding patterns, and behaviors. A largemouth bass might be happy to eat a frog, but a giant bluefin tuna will never have seen one. Learning your “audience” or “target” and what motivates them helps you be successful both on and off the water.
This becomes crucial when speaking to business leaders to frame the risks in a manner that motivates that executive. Learn what they’re passionate about, what metrics they are judged on, what their strategy is, and then you can more easily explain why a newsworthy security incident will ruin brand reputation when speaking to your chief marketing officer. The converse is true when trying to understand how a specific department may be targeted for an attack. Finance teams are regularly targeted by wire fraud attempts or phishing attempts. Just like the frog wasn’t a motivating bait to the tuna, an XLS invoice with a malicious payload labeled “Invoice 123456” isn’t a motivating bait to an HR representative. Understanding the motivation helps to craft defenses and education to those user populations. And finally learn what motivates your staff. Look around any organization and usually there will be a gaming circle, or a sports circle, or a cooking circle -- and many times department lines fall pretty closely in those circles. Chances are those gaming circles, the ones who strive to figure out a problem or strategy, will be driven to functions like incident response where there is always a new problem to untangle and solve. It’s human nature, and your staff will be happier in the functional areas that best support their motivations.
Learning the Right Lessons
People are often surprised when they learn that the CISO of a risk management company is also one of the best fishing charter captains in New England (passenger proclaimed) -- but the truth is that my time on the water has made me a better leader. With greater game fish being further offshore, the risk management and safety aspects grow exponentially. If your boat sinks in a small pond, you swim to shore. If your boat sinks at the canyons 100+ miles away in strong currents, you will hope you have mitigations and training at the ready. Knowing where to focus your efforts, how to allocate resources, and how to evaluate potential vendors is just as important for a CISO as it is for a fisherman. Whether you’re navigating today’s digital threat landscape or heading for deeper waters, a little planning goes a long way -- and it’s critical to approach your task with the knowledge, planning, and equipment you need to be successful.
About the Author
You May Also Like