What Star Wars Teaches Us About Risk Management

May 4, 2022
Kenna Security

Share with Your Network

Whether you’re a Star Wars fan or not, you can’t disregard the cultural impact this series has had on generations. Even the non-obsessed among us can thank this cinematic saga for dozens of significant moments and achievements throughout American history, including the creation of Adobe Photoshop, James Cameron’s Titanic, and even lifesaving organ donations.  

No, really. 

Once you dig into the Star Wars saga, you’ll find it unsurprising how so many have developed an affinity for its characters and heroic plot lines, all linked together in the noble fight of good versus evil, dark versus light—and (here’s our shout-out to cybersecurity) defenders versus attackers. You’re either a real-life rebel protecting the front lines of your environment and your mission-critical assets, or you’ve teamed up with the Dark Side to plunder organizations and claim another win for threat actors.  

There’s a lot to be gleaned from Star Wars and the many lessons it’s imparted through the decades. We’re using May 4th (May the Fourth be with you…get it?) as the perfect excuse to revisit some favorite quotes and unpack what they can teach us about fortifying your environment, tapping into your security resilience, and gaining ground in the never-ending battle against hacker forces. 

5 risk management lessons from Star Wars 

“You must unlearn what you have learned.”  

– Yoda, The Empire Strikes Back 

Old habits die hard and can hold you back in the pursuit of smarter, simpler, and more agile security operations. This enlightened quote offers a perfect parallel with the evolution from traditional vulnerability and threat management to a more data-driven, predictive state.  

A traditional vulnerability management environment often means Security and IT are trapped in spreadsheets, trying to make sense of the millions of vulns in their environment, and many times leaning on outdated prioritization methods. This leads to exhausted resources, resentful teams trying to power through fix lists, and generic SLAs that either are too ambitious for the threat at hand or, in some cases, not ambitious enough. Add to that a lack of alignment around risk reduction and few reliable ways to measure progress, and you’re left with a broken system that doesn’t serve you now or into the unknown future. 

Taken at face value, a traditional security operations environment appears in obvious need of upgrades. For instance, despite the mounting evidence that basing prioritization on CVSS scores (or scanner solutions that simply repackage CVSS) is an unreliable and ineffective way to manage and mitigate risk, many organizations stick with what they’ve been doing for years. Recent research conducted by Kenna Security, now part of Cisco, and the Cyentia Institute reveals how traditional vuln prioritization methods actually do little to make an organization less exploitable. But the finding most likely to make you question everything you’ve learned? Merely scanning Twitter for mentions of vulns is 2X more reliable as an exploitability indicator than CVSS scores. What’s possibly even worse is that CVSS scores perform just slightly better than taking no action whatsoever. Yoda would be so disappointed.  

For more on unlearning old school views on vulnerability management, download your copy of 7 Round Smackdown: Why New-School Risk-Based Beats Old-School Traditional Vulnerability Management. 

“Fear is the path to the dark side.”

– Yoda, The Phantom Menace 

Yes, the Dark Side can represent attackers, but it can also represent the undoing of an environment not because the attackers were smarter, but because the organization was too fearful or overly cautious to take steps toward improvements. Too often we see leadership put off network and environmental upgrades thinking operational risk outweighs security risk. Unfortunately, this avoidance has long-term, dire consequences.  

“Patch fear” is an already well-known phenomenon, but that hesitation could also include “upgrade fear” as well. Because whatever the root cause, fear can leave organizations vulnerable to would-be attackers.  

Ed Bellis, CTO and Co-founder of Kenna Security, and Doug DeMio, Ransomware Task Force Leader at American Family Insurance, recently touched on the topic of traditional, fear-based decision making and the cultural shift needed to evolve beyond it. “What holds you back is a cultural issue,” says DeMio, “and it’s an aversion to risk related to possible operational disruption. That’s historically why people delay applying patches because they’re worried about what it’s going to do to the system. It’s a cultural shift to understand the risk of not remediating far outweighs the risk of operational impact.” 

To get more of their discussion takeaways, check out 4 Ways to Rethink Planning for and Responding to Extreme Vulnerabilities. 

“Never tell me the odds!”  

– Han Solo, The Empire Strikes Back 

Ummmm no. This quote serves as a lesson in what not to do. Listen, we all love Han and his cavalier, renegade ways, but as far as sage advice goes, he’s in short supply. When it comes to risk management, always know the odds. Give us all the odds possible. The likelihood of an exploit is the lifeblood of risk prioritization, and you need to know it when grappling with millions of vulns to determine the biggest risks to your environment.  

That’s why tools like the Exploit Prediction Scoring System (EPSS) offer such critical insight into making vulnerability management decisions. EPSS is the first open, data-driven framework for assessing the probability that a vulnerability will be exploited in the wild within the first twelve months after public disclosure. And it’s why we build this capability into Kenna’s risk-based vulnerability management platform, offering predictive analytics and calibrated models to anticipate the next threat and track their fluctuations in near real time. 

And with increased intel comes increased confidence—vital as we face the unknown. Once security leaders can layer real-world and organizational context onto their threat intelligence, decisions around where to funnel resources, what to let drop in priority, and identifying which workflows to automate become easier to make.  

So, don’t be won over by Han’s swagger—secure the odds! 

To learn what next-gen threat prediction looks like, watch the replay of How To Predict the Next Big Exploit. 

“In my experience, there’s no such thing as luck.”  

– Obi-Wan Kenobi, A New Hope 

In the early years of cybersecurity and risk management, many teams got away with crossing their fingers and hiding in the statistics of hacked versus not yet hacked. But those days are long gone and breaches are now imminent in today’s threat-filled environment. Whatever luck there was ran out, and those interested in future-proofing their environments are forced to do the important work to bolster their security resilience and ready themselves for anything. 

Relentless threat actors are capitalizing on the world’s increasing connectivity and expanding attack surfaces to unleash more aggressive and frequent attacks. In 2021 alone, a record-breaking 20,130 CVEs were published, and this explosion is expected to continue. (All these vulns have to reside somewhere.) In fact, nearly all assets—95% to be exact—have at least one highly exploitable vulnerability 

It’s just a matter of time, so you’d better be ready.  

To get your security operations up to Obi-Wan standards, explore this interactive eBook, Building Security Resilience: Stories and Advice from Cybersecurity Leaders. 

“Do. Or do not. There is no try.” 

– Yoda, The Empire Strikes Back 

We would be remiss not to include what is arguably one of the most famous lines in film history. Yoda is a treasure trove of takeaways and lessons but this one in particular strikes a resonant chord with us because (like this quote establishes), there are only two options facing today’s security operations teams: evolve or fall behind. And falling behind is untenable.  

That’s why Cisco is championing a mission to empower enterprises with powerful, streamlined security tools so companies can close unprotected infrastructure gaps, see more of the data and context to anticipate what’s next, prioritize the alerts and vulnerabilities that matter most, automate resource-draining tasks, and emerge stronger and more resilient when cyber events do happen. 

Cisco Secure and Kenna Security are working together to help teams take data-driven, decisive action confidently and quickly. To learn more about what this will look like and the benefits teams can gain, watch Cisco SecureX + Kenna Security: Bringing Simplicity to You. 

Be brave, and don’t look back. 

We’re on the precipice of a new era of risk and risk management. The time to level up your security is now. There’s important work to be done, and together, we can chart our journey into the unknown—ready for whatever lies ahead in a cybersecurity galaxy far, far (or even not so far) away. 


Read the Latest Content


5 Times a Vulnerability Broke Your Heart

During this month of love, we’re looking back at five of the most notorious vulnerabilities whose havoc left a trail of tears.

5 Halloween Costumes That Will Make Cybersecurity Geeks Go Insane

We looked at recent vulns to come up with the 5 Halloween costumes for cybersecurity geeks, and they are Blue Keep, Emotet, FruityArmor.
International Womens Day

5 Women in Cybersecurity to Follow on Twitter (Right Now)

For International Women’s Day and to kick-off Women’s History Month, we’ve listed five female cybersecurity hotshots to follow on Twitter.

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.