Hope Is Not a Strategy: Four Lessons ‘Survivor’ Taught Me About Cybersecurity

The Fijian island landscape may look very different from the Cyber Exposure landscape, but surviving them has more in common than you would think. And I have the personal experience to prove it.

In 2018, I took a short break from my position as a Technical Writer at Tenable and traded writing documentation for vulnerability management solutions for something a little less high-tech. I flew to Fiji to compete on the CBS reality television game Survivor: David vs. Goliath. I survived two cyclones, underwent grueling physical and mental challenges and lived on a diet of only rice and coconuts for 32 of 39 days, until I was voted out in eighth place. It was the experience of a lifetime, pushing me far beyond what I thought I was capable of.

Among the many challenges I faced on Survivor, I learned several valuable lessons. Here are four of my takeaways and how they relate to cybersecurity:

1. You can’t succeed alone

It’s basically impossible to survive on an island alone. As a tribe, we were completely responsible for building our own shelter, finding food and building fire. Though everyone came from different walks of life we all worked as a team, using everyone’s unique knowledge and skills to our advantage.

Much like a functional tribe, the Tenable Cyber Exposure ecosystem includes a wide range of integrations and technology partners. These integrated solutions help increase the breadth of visibility across the modern attack surface and foster better collaboration across Security and IT Operations teams.

I’m grateful that throughout my adventures, my manager and technical writing team at Tenable had my back and fully supported me. To me, their support exemplified the Tenable value of One Tenable: the idea that we’re all one team, working together and winning together.

2. You have to learn to prioritize risk

Like any game worth playing, there is no reward without risk. I knew the $1 million prize on Survivor wouldn’t come easy, and I would have to take risks to get myself further in the game. These decisions ranged from low-risk (sticking with the majority and voting out a consensus target) to high-risk (blindsiding my ally at a critical time because I thought it might get me closer to winning).

I constantly weighed external risks in the game. Was a clash of personalities with an adversary an imminent threat to my game? Was it worth cooking an extra scoop of rice if it meant we’d run out of our rice supply sooner? Evaluating and prioritizing the various risks in the game were key to making strategic decisions.

The need for prioritization probably sounds familiar to many cybersecurity professionals. According to the National Vulnerability Database, there were 16,500 new vulnerabilities disclosed in 2018 alone, of which only a small fraction was actively weaponized for cyberattacks. When faced with such a high number of vulnerabilities in the cybersecurity landscape, you have to be able to identify, investigate and prioritize risk in order to identify what poses an actual threat to your business. One way to do that is with Predictive Prioritization, a machine learning algorithm from Tenable which helps you focus on the vulnerabilities that matter most.

3. You must be able to adapt to an ever-changing environment

On day one of the game, the host Jeff Probst presented us with the following premise for our season’s theme: “It’s not about who has the advantage, but what is the advantage?”

Three weeks into playing Survivor, late into the game, my alliance was at a disadvantage because we were in the minority. It appeared we would be picked off by the majority alliance, which had the numbers over us. Suddenly, the strategic landscape of the game changed: one of my alliance partners found a hidden advantage, allowing us to steal a vote from the other alliance. True to Probst’s words, it didn’t matter who had the initial advantage, because we had an advantage that trumped theirs, allowing us to reclaim power in the game.

In cybersecurity, attackers often have the first-mover advantage. Security teams have the power to reclaim the advantage by developing a risk-centric mindset. The Tenable advantage is the ability to adapt to new and evolving threats. The Cyber Exposure landscape is constantly changing, so you have to learn to be adaptable when it comes to your cybersecurity efforts.

4. At times, being proactive is better than being reactive

It’s good to be adaptable and react to a problem. It’s even better to be proactive and know when something might become a problem before it does. On Survivor, when I found myself in danger of being voted out of the game, I couldn’t be passive and merely hope things would go my way.

I decided to live by the phrase, “Hope is not a strategy.” Being proactive meant I had to take matters into my own hands, like stepping up for the main role in a team challenge, or initiating a strategic conversation to solidify an alliance.

In cybersecurity, merely hoping your assets aren’t vulnerable isn’t enough to shield you from attacks. Instead, you have to take fate into your own hands and find solutions that help you close your Cyber Exposure gap.

Though I’m back at my usual job, writing documentation for our Tenable products, my experience on Survivor will never leave me. I learned the value of being a team player, as well as how to be analytical, adaptable and proactive. Just like the Tenable products I write about.

Watch the video below to hear more about my experiences:

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.