Security Experts:

Forced Perspective: Your Cyberdefense Tactics Appear Bigger Than They Are

My youngest daughter has single-handedly held up one end of the Forth Bridge in Edinburgh, Scotland. My son? He’s been photographed kicking over the “Heel Stone” at Stonehenge. I myself was captured in Kiev, Ukraine back in the 90s holding the Motherland Monument in the palm of my hand. That thing is all steel and over 200 feet tall!

Unbelievable, you say? Well, I have the pictures to prove it. Kind of.

Alas, my family is not superhuman, nor are we Marvel comic book characters hiding amongst the general population. It’s that old, mildly entertaining optical illusion called “forced perspective.” It can make you look bigger, stronger and generally more superhuman than you actually are, but it’s only an illusion.

: Your Cyberdefense Tactics Appear Bigger Than They Are

Ordinarily, forced perspective isn’t significant for much more than a laugh. In fact, perhaps its most widespread use is via teenagers on Instagram. Mostly mine, I think.

That said, it is used somewhat seriously in art, film and most substantially in architecture. For the latter, forced perspective in the hands of talented architects and planners can sometimes create very real effects that go completely unnoticed in everyday life. Unlike clearly absurd photos, they can make us subconsciously believe stairways are longer than they are, hallways more spacious and cramped housing developments are more open. In many of the best examples, it’s almost natural. Literally seeming a part of nature.

In other words, the effect can make us think things are better than they are and we don’t even know it.

Teenage popularity notwithstanding, forced perspective has lately become a very significant way for me to understand how most businesses view their cybersecurity. And it’s far from laughable.

In fact, most businesses today are not as secure as they could be due to an inaccurate view of their own cyberdefenses. And they don’t even know it. Most notably, business leaders and security professionals alike in today’s enterprise world regularly take snapshots of their own operations and see a flurry of activity, lots of people, lots of spending, tools in every shape and size, data feeds from literally dozens (or hundreds) of outputs and more, and think they must be well-positioned against their target - cybercrime.

Sadly, the target object is in reality always much bigger and much farther off in the background. The mendacious trick of forced perspective.

So why? The images look real enough, right? Real enough, in fact, that almost no one even notices.

Over Emphasis, or “Flipping the Landscape”

One of the key techniques involved in most forced perspective construction involves over-emphasizing the position of the object or space you want to be the most important in contrast to features you want to overcome.

In the case of cybersecurity, there is pretty much a conventional wisdom for how you protect yourself against cyber threats. Spend tons of cash, buy firewalls, install and configure IDS/IPS systems, hire lots of staff, send them to conferences, study threat actors, track progress every quarter and accrue monies for when you get sued. It’s what everyone else does, it’s what’s always been done and it feels natural.

All of it may be prudent and necessary to be sure - after all, who leaves their doors open at night. But it does create a false sense of one’s security reality, as it were. A sense that, because the world looks right, everything is. More dangerously, once the image is accepted by the brain, it causes us to ignore further scrutiny and analysis and accept that things are natural and as they should be.

For architecture, this is the intended purpose. Cheat the mind into thinking something’s more than it is; more spacious, more open, bigger or longer. That’s a good thing.

But for our businesses and their security, this effect is lethal. In the face of a threat that demands dynamic attention, it causes lethargy and laziness. We forgo thinking outside the problem, looking at things from fresh perspectives, trying new things or innovating to overcome challenges or fix unsatisfactory conditions. We even ignore fundamental, practical things, such as root-cause analysis, risk management, software patching, access control, training, communications and effective info-sharing. New and old threats become invisible, blending into the landscape.

Thus, insecurity becomes a part of the fabric of our lives. We come to ignore the very real connection of individual elements all around us on our products, our brands and reputation, IT infrastructures and financial bottom lines. As such, any specific measure of effective cyberdefense - already an impossible challenge on the whole - becomes unrealizable.

Manipulating Expected Dimensions

When forced perspective is used in architecture, fundamental details of things that we all accept as natural (such as width, length, height, angles and ratios) are altered outside expected norms to achieve big effects. For example, stairs are made wider at the bottom and more narrow as they go to the top than is standard in most staircases we encounter each day, thus creating the illusion the staircase itself is much more approachable than it is.

In the case of enterprise cybersecurity, we do the same things week in and week out in building our cyberdefenses.

For example, across industry, very few companies invest heavily in strategic planning and risk management programs built specifically around cybercrime. Even though it’s probably as big a threat as anything else to corporate success, there’s very narrow commitment to diligently gathering and analyzing high-level data about what makes a specific business a target across the board. There’s very little emphasis on proactive identification of risks, consequence triage or overall response management. Instead, SIEM tools, threat intelligence and the gamut of other low-lying operator tools are much more broadly invested upon as the foundation of cybersecurity programs.

The effect? The sense that it’s a nice long, gently-sloping and comfortable stairway upward, when in fact it’s a steep and hard climb.

Forced cyber perspective is an illusion. Study the image a little more closely and embrace the reality of your business and its specific cyber risks. Seeing things as they really are is always more effective than a pretty picture that lulls you into a false sense of how safe you are and, more importantly, how safe you can be.

view counter
Jason Polancich founder and Chief Architect at SurfWatch Labs. He is a serial entrepreneur focused on solving complex internet security and cyber-defense problems. Prior to founding SurfWatch Labs, Mr. Polancich co-founded Novii Design which was sold to Six3 Systems in 2010. In addition to completing numerous professional engineering and certification programs through the National Cryptologic School, Polancich is a graduate of the University of Alabama, with degrees in English, Political Science and Russian. He is a distinguished graduate of the Defense Language Institute (Arabic) and has completed foreign study programs through Boston University in St. Petersburg, Russia.