What Rock Climbing Has Taught Me About Cybersecurity

First of all, I don’t climb rocks. I am petrified of heights. Alex Honnold is someone who does climb rocks. You may have heard of him from the 2018 Academy Award winning documentary “Free Solo”. Free solo climbing is an extreme sport and the most dangerous form of climbing where climbers have no ropes or other form of protective equipment. The documentary provides a gripping account of Alex’s journey to climb El Capitan, a 3,000-foot rock formation in Yosemite National Park, without any safety equipment. It’s a must-watch for anyone interested in extreme sports or human achievement.

Alex Honnold free solo climbing on El Capitan’s Freerider in Yosemite National Park. (National Geographic/Jimmy Chin

Alex Honnold free solo climbing on El Capitan’s Freerider in Yosemite National Park. (National Geographic/Jimmy Chin

To mere mortals, free solo climbing is extremely risky. Not so for Alex. Alex differentiates between risk and consequence. He frames free soloing as low risk and high consequence. The consequences of falling from a great height are equally severe for everyone. The risk is defined as the likelihood of something going wrong, which can be mitigated through meticulous planning and preparation.

In 2019, I was invited to speak at the Cyber Security Summit in both Atlanta and Denver. A key theme of the summit was the “Insider Threat”. The Cybersecurity and Infrastructure Security Agency (CISA) defines insider threat as follows:

“The threat that an insider will use their authorized access, intentionally or unintentionally, to do harm to the department’s mission, resources, personnel, facilities, information, equipment, networks, or systems”

I am not a threat researcher and so, as a panelist, I thought I’d better do some homework and research the topic to avoid publicly embarrassing myself on stage. I stumbled across an interesting study from Cisco researchers. In the Cisco 2018 Annual Cybersecurity Report, Cisco researchers shared some interesting insights. In the study, 150,00 users were profiled in 34 countries over a 6 month period. Of these 150,000 users, 0.5 percent of users were flagged for suspicious downloads.

What does 0.5% mean to you? To me, it means low risk. If I were a CISO (I’m not), perhaps there might be other threats that have a higher likelihood of occurring that should have a higher priority.

However, what if we consider consequence? In the Cisco research, the flagged users downloaded 3.9 million documents in a a 6 week period. That’s a lot of documents. The content of those potentially leaked documents may have significant consequences. Maybe they contain secrets, intellectual property or something of significant value? The Private Manning and Edward Snowden incidents are two fascinating case studies if you wish to dig deeper into the “Insider Threat”.

To conclude, how Alex frames risk and differentiates consequence is insightful and has informed how I personally assess risk. How might it affect the lens through which you assess risk?