Who’d have thought that music could be political? Or that musicians might have political views?
Let’s take the song Killing in the Name by Rage Against the Machine, shall we?
Could it be the name of the band, which is explicitly political? Or maybe just the sight of the album cover, which shows the iconic photo of the self-immolation of Thích Quảng Đức, the Buddhist monk who burned himself to death in protest to the Vietnamese government?
How about the song titles or lyrics? Or maybe the statements of band members over the past thirty years?
While it’s true that a great many musicians do not make their political views explicit in their art, bands like Rage Against the Machine are very clear about their political positions and made it a central feature of the band.
Frankly, I find it utterly baffling that anyone even remotely right-leaning would find the lyrics appealing, but they do. My favourite example was Paul Ryan, who described himself as a fan, leading band member Tom Morello to comment that “Paul Ryan Is the Embodiment of the Machine Our Music Rages Against”.
So, it seems clear that we have some reason to believe that politics can affect other facets of life.
Thus, it seems apparent that the Russian invasion of Ukraine might increase the risk of cybersecurity incidents related to actors associated with Russia. The US Cybersecurity and Infrastructure Security Agency (CISA) has been quite clear about the nature of the elevated risk associated with Russia, and has been actively maintaining and expanding their list of Known Exploited Vulnerabilities (KEV), in order to manage US government security risk, as well as provide a service to the general public. (Side-note: Recently the Cyberwire started providing “flash cybersecurity advisories” from CISA in podcast format as a public service – kudos to them for that!)
Should we panic this time? Is the internet on fire (again)?
I have noted before that prioritization is one of the most important challenges facing most organizations. I would also say that panic is one of the greatest risks, as it leads to hasty decisions which are often wrong (or at least sub-optimal).
One of my favourite stories (sadly, I don’t remember where or when I read it, else I would provide a source) is about a company who has experienced a major event. The company leadership team goes to the CEO’s office in a panic, to figure out what to do.
The CEO quietly asks each member of the team to provide an update, and listens passively while they do so. When all of them are done, the CEO stands, walks over to the coffee service in the conference room and asks if anyone else wants something to drink, then proceeds to pour coffee.
Through all of this, the level of tension of everyone else in the team was extremely high, and the team was expecting the CEO to become extremely agitated as well. By remaining calm, the CEO gave time for fight/flight adrenaline rush to trail off, and everyone started to calm down.
A minute or so later, the CEO repeated their understanding of the situation, then asked each team member for suggestions on how to proceed. By this time, everyone had calmed down and were able to begin thinking clearly.
Now, how does this help us manage this latest iteration of “the sky is falling”? If you look at CISA’s KEV listing as something new that you need to manage, it probably seems like a new pile of work hitting your desk.
But consider that the KEV list is not telling you about any new vulnerabilities. Instead, it’s a tool to help you prioritize better. That’s a positive benefit, isn’t it? By spending time on vulnerabilities that we know are currently being exploited by bad actors, we address the things which are actually on fire now, and can deal with that before turning to potential issues (which still, of course, need to be done).
In most organizations, there is not much question about what needs to be done, but rather when and how to do things (more) effectively and efficiently.
So, break out the broom and start sweeping, and welcome the new tool available for doing so!
Cheers!
Comments