Doing it all wrong . . .

We’ve been doing it wrong for a while now, over the last 20 years or so we’ve kept the discussion regarding security highly technical. Unfortunately, our greatest achievement was to exclude the c-levels and the board of directors from the conversation and in doing that we’ve lost hundreds of years of organizational memory in problem solving, overcoming challenges, and mitigating risk. I’m arguing that Cybersecurity isn’t a technical issue, it’s a business issue with strong behavioral and cultural influencers. The flourishing of the Cybersecurity scene alongside the rise in cyber-attacks lends a certain credence to this theory. Yes, yes…one can argue that the increase in cyber-attacks is derived both from the shifting of conventional crime to cybercrime and the active participation of the nation sponsored threat agents in countless cyber-attacks. I don’t! To set the record straight, technology is crucial for solving the problem. Technologies involved in efforts such as sandboxing, deception, behavioral analysis, threat detection, cloud security, end point security, and many others are advancing by the day BUT they’ll only get us so far. The unstoppable race continues through and beyond the next technology; additional resources and budgets is forever incapable of yielding the desired results. As long as we keep looking at cybersecurity as a technology issue we’ll keep coming short in solving it. By the way, I think that we’re just in the pre-game and we’ve seen nothing yet, I predict that in the next 24 months (17 September 2017) we’ll see the first mega cyber-attack, and I wouldn’t be too surprised if that is aimed at critical infrastructure. Personally, I’m not fond of the term “governance” and what it represented over the last two decades in the security field – lame auditors with little to absolutely no understanding of security checking boxes. The same goes for “compliance” which is just a mean to enforce governance but if the governance is missing its true essence then what you get out of compliance is nearly worthless when it comes to actual security. I like the terms “Management Oversight” much better. If we want to yield better results we need to start addressing cybersecurity as a business issue, we need to deploy methods and disciplines used in other areas of the business “doing” and problem solving (e.g. game theory, applied mathematics, risk management, etc.)… The board has two primary roles, the first is to set strategy and the second is to oversee the executive team and the business operation. Hence, if you’re convinced that cybersecurity is indeed a business issue then the first step is to provide accessibility to the c-level execs and the board of the directors, and that would only happen after we transform the discussion to a business discussion, looking at and evaluating business parameters. The approach I’m suggesting is conceptually simple and potentially quite complex in its implementation. Think of layers and think of security-related technology (and products) as the first. Technology will continue to be fundamental in solving the problem, if only because humans are both slow and are liable to demonstrate poor judgment. I would like to say that the next layer is simply an industry-standard security framework (e.g., NIST, ISO, etc.) but they’ve proven not enough as they rely on old-school governance which is only partially effective. Traditionally, these don’t provide real guidance pertaining to the effectiveness of security infrastructure and systems but instead focus mainly on the existence of a security management system. The third layer is the audit and testing layer. I’ve strong reservations about typical audit functions because, much like compliance, they tend to be too theoretical, too forgiving… too soft. That said, supplementing tradition with a strong testing function which leverages red teams and war gaming and puts functions such as security operations, incident response, and crisis management to a real-life test would provide a realistic view on the level of security. The first three layers should be complimented by two additional layers, one which we explore earlier in management oversight and a final component – quantitative risk management. These are bi-directional in that both receive inputs from the first three layers, they complement and feed each other and provide output in a meaningful way which supports decision making. So, why quantitative and not qualitative risk management? That’s easy. When using qualitative risk management the assessment evaluates critical factors using qualitative scales (e.g., high – low, 1 – 5) leaving it to the mercy of an assessor’s mood on the day. At best, experienced security practitioners may be able arrive at similar scorecards when evaluating “high” and “low” probability scenarios. Experience and double-blind testing tells me not to count on it. Quantitative measurements and estimates flesh out the assumptions and they can be reviewed for accuracy over time. Back to “Management Oversight”, if we want to keep the executive team and the board of directors threat informed, and we aim to include them, the “Management Oversight” layer need to address their concerns and their questions: What threats are we facing? Which of these threats are we better prepared for and where should we make further investment? How resilient are we to a cyber-attack? What is the overall survivability of the organization through a major cyber-attack? How mature is our incident response and threat intelligence programs? Have we tested our crisis management function? Who do we inform? Do we have the right messaging? Who faces the media? How effective is our security framework and how compatible is our risk management framework to cyber risk? Are we under-insured or are we over-paying? To sum it up, cyber security has only been around for 25 years; in some areas of the discipline there is a great deal of maturity and in others… not so much. We’re going through an evolutionary process, and what we know about evolution is whomever manages to adapt when the circumstances change has the better chance of surviving