When I present or teach on a security topic, I take the time to cover the mindset of the adversary. There are a lot of maxims out there to “know thine enemy,” but here’s a good recent one that explains why:
“Unless you can think the way that an evil person thinks, then you’re defenseless against them, because they’ll go places you can’t imagine and then they win.” – Dr. Jordan Peterson
Dr. Peterson said this as he was talking on the Jocko Podcast, specifically episode 98.
The context of the quote was Dr. Peterson and Jocko were discussing a particular foreign affairs official. That official, after a horrific incident, stated he couldn’t think like people who committed the evil act. Peterson’s disagreed. His view is someone in that position had to be able to think like an evil person. Otherwise, such a person couldn’t adequately do the job because they would continue to lose.
The same is true in security. We can laboriously implement best practices and benchmarks but unless we can think like someone who seeks to actively do harm to us, we aren’t going to see the gaps. We aren’t going to see where the weaknesses are. Those gaps and weaknesses will be exploited. We will lose every time we come up against a motivated foe. Therefore, it’s not enough to know what safeguards you should put into place. It’s also critical that you think about how someone might bypass those protections or how they might exploit them.