Who Are You? The Question That Rewrites Every Security Analysis

While the world was scrambling to identify who was behind the recent cyberattacks attributed to Iran, I found myself asking a completely different question: Why these specific targets?

Looking Beyond the Headline

A few days ago, I came across a video detailing cyber operations linked to Iran following US and Israeli strikes against Iranian military and intelligence infrastructure. The footage described remote device wipes, leaked personal data, compromised critical infrastructure, and military personnel tracked through seemingly innocent data points. For anyone who has spent years in security, intelligence, or cyber operations, none of this was groundbreaking.

What caught my attention, however, was not the hackers, the attribution, or the geopolitical debates that inevitably follow such events. It was the underlying mindset driving the operations.

Security professionals suffer from a distinct professional bias. While the general public looks at a breach and asks, "Who did it?", a strategic advisor steps back and asks:

• How did they achieve this outcome?

• Why was this specific target chosen?

• What made it attractive?

• Which vulnerabilities were identified and exploited?

In other words, the focus shifts from the attacker or the final breach to the entire mechanism that enabled it. Attribution and impact are merely factual data points. The true value—especially when it comes to prevention—lies in decoding the logic, strategy, and pathway that made the event possible.

The Core Question

Watching that video reminded me of a question I often pose at the beginning of a consulting engagement—one that regularly catches clients off guard.

"Who are you?"

This is not a biographical question, nor is it an icebreaker. I am not looking for a name, nor am I asking about the cameras they installed, the software they run, or the alarm systems protecting their offices.

I want to understand their identity: what they do, their role within their ecosystem, the data they handle, their relationships, their operational footprint, their dependencies, and, above all, the value they represent to an adversary.

The Fundamental Flaw in Security Thinking

This is exactly where the most common misconception in security begins. Most organizations start with the wrong premise:

"Who do I need to defend myself against?"

It is a natural question. We instinctively picture a hacker, a competitor, a fraudster, a rogue employee, or even a nation-state. The problem is that this question is premature. Before asking who might attack us, we must first understand why anyone would care about us in the first place.

Why Prevention Beats Reaction

Threats are a constant. They are everywhere. What changes is the catalyst that makes a specific threat actor notice a particular individual, company, or organization.

This brings us to one of the most fundamental yet widely ignored principles of security: prevention is always more cost-effective than reaction.

True security is not about reacting to what has already happened. It is about proactively identifying the conditions that allow a crisis to manifest. A vulnerability remediated today is always cheaper than a crisis managed tomorrow.

You Don't Have to Be Unique to Be Target

An entrepreneur developing cutting-edge technology might face risks they completely overlook. This risk is not just about what the technology does today, but what it could become tomorrow.

Where the founder sees a product and the investor sees a commercial opportunity, a seasoned security strategist immediately spots dual-use applications, strategic interests, military implications, or unwanted attention that the C-suite completely missed.

But it would be a mistake to think this only applies to revolutionary startups. In fact, the opposite is often true.

Many companies have operated for decades in seemingly mundane sectors. They manufacture components, manage secondary infrastructure, provide niche services, or occupy a specific slot within a broader supply chain. They do not view themselves as high-risk, and they assume they have nothing worth stealing.

Yet, all it takes is a geopolitical shift, an international crisis, a new strategic dependency, or a localized conflict to completely redefine how external actors view them.

Unwitting Targets

This is one of the most fascinating aspects of risk management: there are companies that have no idea they are interesting. This is not due to naivety or incompetence, but because they view the world strictly through the lens of their industry, market, and daily operations.

A security strategist, however, is forced to look beyond those boundaries to identify the hidden interests, connections, and implications that lie outside the client's field of vision.

Your risk profile is not defined solely by who you are today.

It is defined by how others choose to look at you tomorrow.

What Does a Medical Company Have to Do with Iran?

This brings us back to the video, which offered a stark case in point. Among the organizations targeted was a company operating in the medical sector.

I can already picture the collective confusion. What does a healthcare organization have to do with a geopolitical crisis involving Iran, Israel, the US, oil, and nuclear proliferation?

The answer is: everything.

This is not because anyone could have predicted the exact day, the exact threat group, or the precise methodology. A consultant is not a fortune teller, and security is not about predicting the future. It is about understanding what characteristics make an entity attractive across a wide spectrum of scenarios.

If you asked me years ago whether a healthcare provider or a medical device manufacturer could become a high-priority target for hostile actors, my answer would have been an immediate yes. Not because I anticipated specific geopolitical moves from Iran, but because any entity serving a critical societal function possesses intrinsic vulnerabilities that appeal to a wide variety of threat actors, each with different motivations and capabilities.

The adversary changes. The blueprint remains.

This is the core difference between trying to guess who will strike versus understanding how you could be compromised—and how to build resilience against it. The former chases headlines; the latter analyzes systems.

The Conductor and the Commander

Most professionals view security through the narrow lens of their own specialization. The technician looks at hardware, the IT expert focuses on digital systems, the legal team reviews liability, and the investigator tracks data points. They all see a piece of the puzzle.

But someone has to own the macro perspective.

In this regard, a strategic consultant acts much like an orchestra conductor. It is not just about coordinating specialists; it is about understanding the ultimate objective and recognizing how seemingly disconnected elements influence one another. Just as a conductor seeks harmony, a security advisor seeks systemic balance and efficacy.

At the same time, they act as a commander. They must evaluate which threats are genuinely relevant, establish clear priorities, allocate finite resources, and determine where to concentrate time and budget to yield the maximum return on mitigation.

Observation vs. Comprehension

The most dangerous threats rarely make the front page. More often, they breed at the intersection of technology, human behavior, corporate habits, vendor relationships, and operational context. They only become visible when you look at the complete picture with the experience required to interpret it.

Because seeing the picture is not enough. You need to have analyzed hundreds of different scenarios, studied real-world failures, deconstructed incidents, and watched crises unfold in unexpected ways. Only then do you develop the pattern recognition required to connect seemingly insignificant dots into a coherent strategy.

Security Doesn't Start with the Enemy

This is the dividing line between a casual observer and a security strategist. The former looks for the culprit; the latter looks for the mechanism. The former focuses on what happened; the latter focuses on how to prevent it from happening again.

That is why my first question to a client is rarely about the threat, the software they want to buy, or the hardware they want to deploy.

First, I need to know who they are. Because only when you truly comprehend your identity, your systemic value, and your vulnerabilities can you begin to design a serious security posture. Everything else is secondary.

Security does not start with the enemy.

It starts with the target.
It starts with understanding the system.

And it almost always begins with a deceptively simple question: "Who are you?"

Sources

Original video that inspired the article

• Facebook Reel:
  https://www.facebook.com/share/v/18eUgxJrv8/

Further information and checks

• TechCrunch – US accuses Iran's government of operating hacktivist group that hacked Stryker:
  TechCrunch - Handala / Stryker attack

• FBI FLASH – Government of Iran Cyber Actors Deploy Telegram C2:
  FBI FLASH 20260320-001

• TechTarget – CIOs must now model war as an enterprise risk:
  TechTarget analysis on Stryker attack

• Cybersecurity Dive – Stryker attack raises concerns about role of device management tool:
  Cybersecurity Dive - Stryker and Intune analysis

• TechCrunch – CISA urges companies to secure Microsoft Intune systems after hackers mass-wipe Stryker devices:
  TechCrunch - CISA advisory after Stryker attack