My last post discussed the changing nature of security. The impact of today's cyberattacks aren't limited to stealing financial information or personal data. Instead, these attacks seed chaos. With this reality at hand, the need for business-driven security is even more pronounced. Security professionals must draw connections between the technical details of a security incident and the corresponding business impact. Otherwise, they'll fall into the gap of grief.
I covered this theme during the opening keynote at RSA Conference 2017 and offered three suggestions for implementing business-driven security:
First: Treat risk as a science, not a dark art.
Think through the potential ripples your company might encounter. Channel your inner philosopher. Ask yourself: "what if?"
That's easier said than done. Nobel physicist Niels Bohr supposedly said: "Prediction is very difficult, especially about the future."
Some CISOs I've talked to - across the public and private sectors - have increased their odds of success by using formal risk frameworks like FAIR or Bowtie. These specific approaches may not be right for your organization, but every company should be using a consistent and rigorous methodology to reason about risk.
Second: Simplify what you control.
Recently I talked to one of our customers who has 84 different security vendors. Yes, 84! How do you manage that many vendors, let alone get anything done? How do you justify the return on investment from each of these vendors to you C-suite and board?
Vendor chaos serves no one. Consolidate your vendors. Avoid adopting a "no vendor left behind" policy. Double down on vendors that work well. Ditch everyone else. Don't bolt on one vendor after another, hoping to compensate for flaws. Hope is not a strategy for dealing with chaos.
Also, in my experience, organizations fall into the gap of grief because their security technologies operate in three main silos:
- Security Exclusion -keeping the bad guys out;
- Security Inclusion - enabling the good guys to get in;
- Business and IT Risk Management - tracking the dangers you might face.
When these areas aren't integrated, multiple disconnected point solutions create chaos through alert fatigue. And organizations lack the business context to meaningfully navigate the chaos.
To tame chaos, consolidate and integrate vendors. Don't draw lines between your technologies. Draw connections.
Third: Plan for the chaos you can't control.
Consider "Tyson's law of Cybersecurity", named after the well-known cybersecurity expert - and boxer - Mike Tyson, who said: "Everybody has a plan until they get punched in the mouth."
Anybody who's dealt with security incidents can relate. Good incident response plans have the ABCDs:
- "A" - Availability: The plan should only leverage available resources. Sounds obvious, but one CISO I know found that the plan her predecessor developed required people, process, and technology that the organization neither had, nor planned to have. It's pointless to put empty fire extinguishers in every hallway.
- "B" - Budget: Account for the sudden costs you'll incur. An incident response plan without budget authority is a fairytale.
- "C" - Collaboration: The plan must have cross-functional alignment across the key stakeholders. IT, finance, legal, communications, sales, and others play critical roles in a security crisis and must collaborate. They'll be working 24/7, camping out at the office, possibly for months. That is not the time for introductions.
- "D" - Dress Rehearsals: The first time you try out your plan shouldn't be during an actual incident. Practice makes perfect, even within incident response.
These suggestions enable security leaders to draw connections between cybersecurity and business goals. Security professionals need to be trusted business partners who help our companies harness the power of innovation, with a detailed view of the risks, and a plan for responding when risks gets real.
In our networked era, when the ripple effects of chaos propagate more quickly, and with more devastating consequences, we have to be ready to lead our organizations through chaos. We face a remarkable opportunity for our industry. Let's seize it.