Aphorisms abound in cybersecurity. They are clever, self-effacing, and purposeful survival mechanisms that simultaneously teach reality truths in possibly the most stressful occupation outside of the military.
SecurityWeek talked to Bec McKeown CPsychol, founder and principal psychologist at Mind Science Ltd (and a visiting lecturer in applied psychology at Cranfield university) to understand the role and purpose of aphorisms in cybersecurity. We illustrate the discussion with genuine aphorisms collected from practicing security professionals.
Warning: the language can be ripe and occasionally offensive – but that’s often an integral part of being an aphorism. For this reason, all provider names have been withheld to protect the guilty – but every aphorism included here has been provided by a cybersecurity professional known to SecurityWeek.
Definition and basis
“Aphorisms are short, catchy phrases that give advice or share observations about life. They’re more than just clever sayings; they teach, pass down cultural wisdom, and influence how we think and feel,” says McKeown.
She accepts the Oxford Reference definition: an aphorism is “A succinct, pithy adage or maxim expressing a universal truth, such as Procrastination is the thief of time.”
In short, she explains, “People create aphorisms to condense complex ideas into simple, memorable phrases. These sayings are designed to stick in our minds, making them easy to recall and repeat. They help communicate important messages quickly, which is particularly useful in business, in managing relationships, in teaching, and on social media.”
More specifically, psychologist McKeown adds, “From a psychological perspective, aphorisms also act as mental shortcuts. They are short in length and often written in a rhythmic style which makes them easier to remember than long, complicated sentences. The use of imagery and metaphor also makes them more memorable. They give us quick insights or rules of thumb to make decisions without needing to think too hard.”
With added humor, a short and simple aphorism becomes memorable. A quick example is The S in IoT stands for Security (hat tip to El Reg for this one). But they can rapidly become more complex.
Two non-security specific aphorisms (‘if you can’t stand the heat, get out of the kitchen’ (self-explanatory) and ‘pee or get off the pot’ (meaning stop procrastinating and do something) are combined in this one: If you can’t stand the heat, get off the pot.
The message here is that you have two options. If the heat of working in cybersecurity is too great, you can choose to leave the environment or pee and put out the fire – but you should stop procrastinating and do one or the other.
Reality comes with a different aphorism (apparently borrowed from the military): You can only pee with the prick you are given. The ultimate message is to do the best you can under the circumstances applicable (while subtly accepting that you are never given sufficient resources to solve the problem). Ambiguity and double entendre are key elements of the best aphorisms.
Function and purpose
McKeown isolates three primary areas in the function and purpose of aphorisms:
1. Influence and persuasion
“Aphorisms can evoke strong emotions and this, combined with their ability to condense complex ideas into simple sayings, makes them powerful tools for changing attitudes and behaviors by reframing thinking and promoting change.”
Example: You don’t need to outrun the bear; you just need to be more secure than the next guy.
The humor comes from the slight change to the popular saying ‘You don’t have to outrun the bear; you just have to outrun the guy next to you.’ This aphorism accepts that you cannot ultimately avoid being compromised, but if you make life difficult for the attackers, they will go somewhere easier. This is the fundamental principle behind the old policing concept known as crime prevention through environmental design (CPTED): make life harder for the criminals and they will go somewhere easier. That’s the best you can do.
2. Behavior change
“Aphorisms can evoke strong emotions and this, combined with their ability to condense complex ideas into simple sayings, makes them powerful tools for changing attitudes and behaviors by reframing thinking and promoting change.”
Example: Encryption only works when you don’t leave the keys under the doormat.
Example: Bad guys like to attack the back of the herd… patch your shit.
3. Cultural norms
“Aphorisms are a way of passing on norms and beliefs, and values of a culture, helping to educate and maintain cultural identity. While they often reflect broad cultural values like hard work and honesty, they can also show individual beliefs, making them a powerful way to share both personal and collective wisdom.”
Example: If senior management is willing to accept the risk, then you’ve done your job.
Example: If you don’t get on the bus, you’re gonna get thrown under it.
Themes specific to the cybersecurity industry
Ineffectiveness of products
One of the major problems for security leaders is that they are expected to achieve too much with too little. Security is usually under-resourced. It often has insufficient budget, not enough staff, and security products that don’t work.
The last of these is partly due to the success and professionalism of a much longer established profession: marketing. CISOs need to remember that a salesperson’s priority is not to solve the customers’ problems, but to sell the supplier’s products.
Example: The purpose of product marketing is to blow smoke up your arse.
This aphorism simply stresses the reality of marketing. It doesn’t blame marketing but urges the buyer to understand that reality. The result of marketing’s success is the failure to install the right product for the job, even if one exists.
Example: For most cybersecurity solutions, 60% of the time they work every time.
The elusiveness and impossibility of security
Absolute security within operational business is impossible. This is because security is fundamentally a reactive response to proactive aggression: defenders never know when, where or how bad actors will next attack. Numerous aphorisms are designed to teach and stress this reality.
Example: Defenders need to succeed hundreds of times every day; attackers need to succeed only once.
The fundamental problem (stemming from the volume of attackers and the variety of their skills) is the unknown unknown: defenders do not know when, where, or how they will next be attacked. And you cannot defend against what you do not know. There are three approaches to this reality: despair, caution and aggression, expressed within aphorisms.
Despair examples: You’re not the smartest in the room. If you were, you wouldn’t be in the room.
And: It’s too late; that horse has already bolted.
Caution example: Anything made by a human can be unmade by a human.
And: CISOs don’t turn over a rock to discover a problem until they have a solution to the problem.
Like many aphorisms, this last one is ambiguous and can be interpreted in many ways: ‘don’t change things until you have a mitigation or patch’; ‘don’t be so cautious you miss the problem’, or even, God forbid, ‘CISOs are incompetent’.
Aggression examples: Vulnerability research is offensive.
And: The best zero-day defense is knowing about it yesterday.
And: Vulnerability research is knowing your enemy’s weapons before they are forged.
The fundamental message of the ‘aggression’ aphorisms is that despite the difficulties, don’t be passive. We come back to the earlier aphorism: If you can’t stand the heat, get off the pot.
Dependence on unprovable or inadequate data
Security leaders are required to communicate with business leaders in a language that businesspeople understand. They must translate their own metrics into business-speak. But the metrics themselves cannot always be trusted. A CEO asked the marketing manager, ‘What do the statistics tell us?’ The marketing manager replied, ‘What do you want them to tell us?’ The same applies to metrics – neatly summarized by, The flaw of averages is your worst enemy and your adversaries’ best friend.
A close variation on this theme is, We don’t believe in benchmarks – and neither do our adversaries.
Aphorisms as simple good advice
Given the difficulties of cybersecurity as a profession, the area is replete with aphorisms that are simply designed to provide good advice, underscored by a dash of humor. An excellent example of this is, The biggest difference between sass and SaaS is one hurts your feelings, and the other cancels every flight on Friday. It’s true, it embodies a witty play on words, and it underscores the difficulty in securing SaaS apps while stressing the danger of failing to do so.
OPSEC means never having to say you’re sorry is good advice in few words; but it gains humor and more insight for anyone who has seen the 1970 movie ‘Love story’ (Ryan O’Neal and Ali MacGraw). ‘Love means never having to say you’re sorry’ was spoken by Ali MacGraw’s character and has since become a cultural, albeit verbal, icon.
Resourcefulness with small data is always better than complexity with big data. This is another statement with multiple possible interpretations. Complexity is always a danger to security. This is true for both the security stack and the data to be protected. So, at one level it simply suggests that clever use of fewer resources will be more effective than just buying another product to plug a perceived gap and increasing the complexity of what needs to be defended. If you can only pee with the prick you are given, use it well rather than profusely.
Summary
“Aphorisms,” suggests psychologist McKeown, “with their short and memorable nature, play a big role in communication, teaching, cultural preservation, and influencing how we think and feel. By turning complex ideas into simple, impactful statements, they help persuade, preserve cultural wisdom, and encourage personal reflection. Understanding how aphorisms work shows their importance in shaping our thoughts, behaviors, and cultural identity.”
We’ve included a few common and current aphorisms in this illustrated guide. There will be hundreds more out there. From our small selection we have tried to show the aphorism isn’t just a throwaway joke. It may incorporate a joke — indeed, the best ones do — but aphorisms are not throwaways. They embody intrinsic truths within a verbal mechanism that is memorable and encourages deeper contemplation. The aphorism is effectively a valuable cultural phenomenon for spreading the wisdom of experience — and cybersecurity, with its complexities, nuances, contradictions, and perpetual stress, is a fertile field.