For years, I’ve heard highly qualified cybersecurity professionals tell me how difficult it is for them to justify expenses and provide return on investment (ROI) for security controls. They also tend to state that it’s very difficult to come up with any real progress measurements – metrics – for their efforts.
When I ask them why, I usually get one or two of the following replies:
- C-level folks don’t know enough about cybersecurity to have an intelligent discussion about funding for controls, protections and steps.
- Hacking techniques change so often that security pros need to pivot resources quickly. As a result, it’s nigh unto impossible to justify expenses. By the time you sit to do it, a new threat has developed.
- Yesterday’s metrics are often inadequate for today’s attacks.
- Back when compliance was the answer, it was easier to discuss metrics. It’s not the case now.
- Bigger companies have to worry about ROI – not smaller companies.
- We still don’t have a consistent lexicon that allows us all to speak the same language when it comes to security.
While these reasons contain very valid points, they’re really excuses more than anything else. They are indicators of a particular type of communication failure. In fact, it’s an indicator of compromise – or what I call, the failure to compromise. Let me explain.
Talking It Through: Negotiating Terms and Communicating Consistently
C-level impatience with technical concerns is often nothing more than a sign of inadequate communication. Once C-level and board-level individuals start communicating with techies, they’ll all realize they need to compromise and learn from each other.
More About Security Metrics
Learn more about establishing security metrics in CompTIA's latest research report, 2018 Trends in Cybersecurity: Building Effective Security Teams.
C-level folks want to get complete, consistent information. They have very good intuition for information they feel doesn't quite work for their position. It's up to the techies to use consistent language so everyone's on the same page when it comes to managing risk.
But, I’ve almost always found that any C-level and board-level folks worth talking to understands risk very, very well. In fact, they usually understand risk better than cybersecurity techs.
Once folks on both sides of the table learn to communicate, then they can start creating useful metrics that help everyone understand how to manage risk and spend money wisely. This way, workers and management can then move past mere compliance-based approaches and focus on creating terms, metrics and controls that help manage the crown jewels of the company.
And, it doesn’t matter how big or small your company is. Sure, a small company can’t afford to hire a full red team (pen tester) and blue team (analytics) contingent. But they surely can hire such services on a managed service basis. But, hiring a managed security service provider isn’t the only solution – you’ve got to get everyone communicating consistently.
The C-Level and Board Perspective
As part of my role here at CompTIA, I decided it wasn’t enough to just talk with the techies. I make a point to talk with C-level and board-level folks about the same issue. When I asked about why it’s so difficult to get real metrics, I got some pretty revealing answers:
- Sometimes, technical folks get a bit lost in the weeds. Either that, or I do.
- I get the feeling that our cybersecurity folks love new gadgets and technologies and lose track of the main issue: Risk to the company.
- We don’t talk very much with the cybersecurity folks. I mostly talk to the chief information officer (CIO) to get relevant information.
- I just make sure that we are compliant with legal and regulatory requirements.
- It’s hard to understand what they’re talking about, really. They use about 10 different words or phrases to describe the same thing. And in other cases, they have no words to describe some of the most important things when it comes to managing risk.
Notice the similarities, here? In many ways, executives and techies are in violent agreement. In other cases, there needs to be some pretty serious realignment.
Solutions?
I’ve already discussed the biggest issue: lack of communication. But, some of the comments above reflect a serious issue: Worldwide, I still see how large and small companies alike still place the cybersecurity function underneath the CIO. Yes, that’s still an issue, and it’s almost 2019.
That’s a mistake. Separation of duties pretty much demands that a chief information security officer (CISO) function be separate from the CIO. Second, I’m always uncomfortable with compliance-based security efforts; the check-the-box security usually results in a relatively ham-fisted approach.
Creating – and Using – a Consistent Cybersecurity Lexicon
The most telling comment is the last one: I agree that all parties tend to use cybersecurity terminology inconsistently. That’s a serious problem.
First of all, such inconsistency reflects sloppy thinking and practice. Second, it can actually result in sloppiness.
The best CISOs I’ve spoken to over the years make it their first priority to get everyone on the same terminology page. Then, they use these same words as they create security controls. As a result, they have a consistent approach that they can then justify. As result, everyone can then start managing risk appropriately.
You don’t have to go running to the latest NIST standard or framework or to ITIL or anywhere else to get started on his. Start with a framework and then adopt it consistently. It’s not that difficult.
Moving Beyond the Defender’s Dilemma: Locard’s Exchange Principle and Morpheus
At ChannelCon 2018, I had the chance to talk about the lack of useful cybersecurity metrics – I stated that, in fact, this lack results in a sort of cybersecurity matrix. In other words, the lack of proper metrics results in confusion and inconsistency – one of the primary reasons why we’re seeing so many successful security breaches today.
I invoked Morpheus of The Matrix, as well as Dwight D. Eisenhower as a way to help us out of the issue.
Dwight D. Eisenhower
You see, both have a way of helping people find ways to create justifiable actions. Yeah. I’ve just compared Dwight D. Eisenhower – an old, dead guy who looks disturbingly like Elmer Fudd – with Morpheus, one of the cooler science fiction characters. Maybe I just got your attention. But I’m convinced that there’s a relationship between these two folks. In fact, here’s another dead guy to think about: Edmund Locard. He also is part of our way out of the cybersecurity metrics matrix.
Edmund Locard
And no, I’m not talking about the red team and the blue team, here. I talked about that last month in my Hunt for the Meaning of the Red Team blog. I’m talking about how we need to move from the defender’s dilemma type of thinking to a new way of thinking: to the hacker’s dilemma.
This involves a concept called Locard’s Exchange Principle, as well as understanding more about what an indicator of compromise (IoC) really is. If you understand these things, then you’ll be able to move beyond the typical defender’s dilemma approach, and into a more useful perspective. Stay tuned for more about that in next month’s entry.
Learn more about the CompTIA Cybersecurity Career Pathway.