Finding The Hidden InfoSec Story

The Art of Boiling Frogs (And Teaching Executives)

Photo Credit: Hey Rossco via Compfight cc

Some time ago I was at a restaurant with my friend William Beer and we were talking about his ventures in Brazil, more specifically about his frustrations when he was taking to representatives of various institutions and how much they were ignoring the issue of information security.

I asked him how he conducted these conversations. He explained that he scheduled the meetings with the executives and presented them the cyber threat scenarios and explained how these threats were already active in Brazil.

I started laughing. He kept looking at me seriously. I found the image of a serious Canadian getting frustrated in this way. “William,” I said, “you tossed the frog in boiling water! It was certain he’d jump!”

He hadn’t a clue what I was saying. So I told him about the legend of the Amazon frog and how to boil it. Legend has it that in the Amazon there are thousands of species of frogs and toads, some of them edible, but it is necessary to boil them in a slowly increasing water temperature fashion. If you forget this detail, the frog realizes the threat and jumps from the pan. 
I became more relaxed as he began to smile I think at that point, and he understood where the story would lead.

“Do you understand William? You tossed the executives in boiling water. They reacted instinctively and they jumped. If you are working with an audience that has little or no visibility of the digital security landscape in which they live, and you start by giving them that shock of reality, they will panic. How about starting by establishing contact and begin addressing the points of attention more gradually?

Let’s plan our actions like effective digital attackers. Digital attackers today do not invade the environment abruptly. They reach the environment slowly, trying to avoid the monitoring systems and, as time goes by, their activities start looking like system’s usual activities and only after quite some time the data extraction begins, also in a gradual fashion.

If this strategy works in attacking our environments, why not learn from the attackers and use their technique to our advantage? Let’s communicate more often, in a more lightweight manner with executives. In this way they can get used to the security landscape and to our jargon. This will help us build trust and explain the correct threat context so we can start talking about cyber security matters in a more intense and complete fashion.

At that point William interrupted me: “Do you know The Analogies Project?”

And so here I am boiling frogs, increasing the temperature one degree at a time – in other words, I’m helping to build the security context for executives one analogy at a time. I hope you’ve enjoyed it.


This analogy is also available in the following alternative languages.


Author: Rafael Lachi

Share This Post On