Why No One Listens to Cassandra

I recently spoke at BSides Charm on how to influence business decisions. One of the stories I told was that of Cassandra, a Trojan priestess, and daughter of the King, Priam. 

According to Greek mythology, Cassandra received a remarkable gift from the Greek god Apollo, giving her the ability to see into the future. However, when she later rejected his sexual advances, he punished her with a curse. He wanted credit for her work and felt entitled to her attention, her gratitude, and her body. He was a selfish creep who couldn’t regulate his emotions when rejected. When she called him out, he retaliated. 

My motivation for sharing this story isn’t to draw parallels between the Ancient Greek misogyny and modern infosec; they draw themselves.  

<insert image of exhausted women throughout the ages>

Apollo punishes Cassandra by preventing any of her prophecies from making a difference. No one will ever believe her even though she’s right, and this is the aspect of Cassandra’s story that security and privacy professionals obsess over. Like the cursed Trojan priestess, we can see all of the horrible things that will go wrong in the future, but no one listens. 

Ten years into a frustrating war with Troy, the Greeks came up with a new idea. They build a giant wooden horse, hide their best warriors inside, and leave it outside the walls of Troy as an olive branch. The Greeks then leave Troy, returning to their boats to sail away. 

Meanwhile, the Trojans are left to decide what to do with this giant wooden horse. 

Editor’s note: It seems pretty clear to me that anyone who leaves a giant farm animal of any kind on your front lawn isn’t a true friend, but the Trojans were truly perplexed. 

Now, Cassandra knows this horse isn’t a gift and she attempts to warn her fellow Trojans not to open the gates. Due to Apollo’s curse, no one listens to her. They wheel that giant flammable monstrosity into the middle of their city like the U.S. federal government bringing in Microsoft Exchange. 

That night as the Trojans slept, Greek warriors spring out of the horse and begin slaughtering the people of Troy. It was a disaster made even more tragic by the fact that it was completely avoidable. 

If Cassandra had been CISO of Troy, she might have tried to fake influence with an irritating mantra like, “Never waste a crisis,” while frantically updating her slide deck to advocate for more resources, further entrenching the executive team’s perceptions that security is only a wartime investment.

I presented several pitfalls of “governing by crisis” at the Enigma 2021 conference. You can see a recording of that talk here.

The fact remains that no one was persuaded by Cassandra’s prophecies. 

And that’s the point of the story I find most interesting — Apollo’s curse didn’t impact other people’s ability to understand each other. The curse changed how Cassandra communicated, burying the meaning of her advice in vague and opaque language. She confused everyone around her with symbols and metaphors they couldn’t relate to. 

Cassandra wasn’t believed because she was an ineffective communicator. She produced a lot of outputs, but not outcomes. 

Sadly for her, the City of Troy, and many professionals now raising the alarm about security and privacy risks, attention is no substitute for persuasion.

Our ability to communicate effectively is the #1 indicator of our potential to influence the business.