Audience: Cybersecurity professionals and CEO/Business Unit Leaders, SecOps.
You know how during the holidays there are always certain family dynamics that repeat themselves? For example, if there is a doctor at a holiday gathering, they always get asked medical questions. Well, I am in cybersecurity so guess what kind of questions I get? Yep, I always get asked cybersecurity questions. Maybe it happens to you, too!
At one holiday gathering a family member, a successful businessman, asked me: “Robert, I am worried about my company getting hacked. What is the most secure computer?” My answer: “The most secure computer? Well, you need to go to Logan, Utah, and claim one of the Apple Lisa computers that is buried in the landfill there, because the only 100% secure computers are ones that are turned off and buried deep under the earth.” We all laughed and then we discussed how hard it was for him as a businessperson to reduce cyber risk by making business decisions. This led to what kinds of strategies would work to demonstrably reduce cyber risk for his organization. This conversation did spark some analysis about the problems he and others were facing: How can leaders make business decisions that manage cyber risk?
OK, let us analyze this. My family member was worried that their organization might be hacked. Well, what happens when you are hacked, besides the obvious damage? When you get hacked, no one is going to assess you by how many pieces of cybersecurity technology you have or how much it cost you, or how many people you have with ‘cybersecurity’ in their title. You will be harshly judged based on the justifiability of the tools and processes you have in place. You must have a strategy and a framework that is clearly logical and defensible and shows a balanced approach. So exactly how would you create a justifiable, balanced cyber risk strategy?
First, we need to talk about the problems. When you look out across the cybersecurity landscape, it is largely comprised of both vendors and defenders implementing tools and processes to achieve a capability or capabilities. Let us look at a great standard, CIS, specifically CIS Control 7: Continuous Vulnerability Management. CIS Control 7, or Continuous Vulnerability Management, requires that an organization to:
- 7.1 Establish and maintain a vulnerability management process
- 7.2 Establish and maintain a remediation process
- 7.3 Perform automated operating system patch management
- 7.4. Perform automated application patch management
- 7.5. Perform automated vulnerability scans of internal enterprise assets
- 7.6. Perform automated vulnerability scans of externally exposed enterprise assets
- 7.7. Remediate detected vulnerabilities
This control does a fabulous job of guiding an organization to implement vulnerability management capabilities in a logical way to deny exploits to adversaries during an attack attempt. Note what it does NOT discuss: How would you measure the reduction of cyber risk due to implementing CIS Control 7, or any other control? How do you define success, and how would you measure it?
The problem is all about getting to the next stage in your cybersecurity journey, the measurement and proof stage. Frameworks like CIS are fabulous in helping you get a structure in place and guidelines on what you need to do to have a great start in cybersecurity. They tell you the things you must have in place to even have any level of justifiability to your stakeholders. But the point is, once you implement things like CIS, the last thing you want is for a breach to occur before you figure it out: “Is my cybersecurity working?” when so often the answer is: “NO!”
What we want is some way to figure out whether you have justifiable and measurably effective and balanced controls BEFORE you are breached so you have an opportunity to take corrective action in your cybersecurity tools and processes before an incident occurs. So, we are NOT saying that you should not follow CIS (and other excellent models and frameworks), we are saying you need to take the next step.
OK, say you are the CEO. Just ask yourself a question: “What business tools am I using to manage cyber risk?” If your answer is: “Well, I can’t think of anything.”, then we urge you to continue reading. We have interviewed a significant number of CEOs who are now being held responsible for managing cyber risk. The problem is, not even one of them told me that they had good ways to do that.
This provides an opportunity to create foundational principles that are all about business decisions and finding the balance between cybersecurity and getting business done. In case you are wondering, yes there clearly is a dynamic tension between business and security. Let me give you an example. Just this morning, I was about to jump on a video conference call when my laptop told me that I needed to re-enter my password and then do multi-factor authentication on my phone. Oops! My phone is downstairs, so I go tearing downstairs to find it, unlock it (oh no! The battery is dying!), plug it in, and then give the phone my fingerprint. This made me a couple of minutes late to the call. Yes, there is friction between getting business done and good cybersecurity.
OK, back to strategies for how we balance cybersecurity and business using ways where we can measure and analyze whether it is working for the organization overall and is justifiable in the eyes of stakeholders, including employees, regulators, investors, shareholders, etc.
We have defined four foundational concepts that we are using to analyze how we approach cybersecurity going forward. We call them the Security F.O.C.U.S. concepts.
At BigFix, we have been using these concepts to set the foundational principles we use to design our cybersecurity products, because they give us a way to think about and resolve the dynamic tension that exists between business and cybersecurity. We are sharing them here because these principles are ones that are valuable in helping key stakeholders who are managing security and business to have a lingua franca that binds them together. We think they will be valuable to you.
Using the FOCUS concepts to guide how your organization strategizes about how cybersecurity empowers you to find and implement controls that balance the needs of business and security simultaneously. Furthermore, it allows highly technical teams like SecOps and ITOps to have fruitful discussions and strategy sessions with non-technical stakeholders like the CEO, Business Unit leaders and device owners.
Since this is a blog, let me briefly define each of the FOCUS concepts and then close things up. Each one is worthy of its own blog, but the following will help get you started for now:
F = Friction: The Balance Between Business and Protection.
- This concept is to show, measure and maintain the balance between business and cybersecurity protections. How much friction exists? Is it too high and dragging your business velocity down? Do the benefits outweigh the hassle factor? Do you have ways to measure it and make sure it is in balance?
- The goal is also to reduce friction among key stakeholders involved in cybersecurity, specifically reduce friction among SecOps, ITOps, the C-Suite and the Device Owners as each stakeholder pursues their individual missions.
O = Outcomes: Are You Getting the Desired Cybersecurity Outcomes?
- This concept is to define, measure and control if the security programs, tools, and processes are producing the desired security and business outcomes. Are you quantifiably reducing cyber risk? How do you know? How are you measuring it?
- The goal is also to help SecOps, ITOps, C-Suite and Device Owners easily target and achieve security outcomes together and to measure and prove it happened.
C, U = Consistency and Uniformity: Is Cybersecurity Working Evenly Over Time Across the Organization?
- This concept applies when you have cybersecurity applied across systems that should exhibit these traits. For example, if you have thousands of identical laptops, are the cybersecurity assessments across these laptops uniform, alike and lacking diversity? Are the assessments consistent and not changing over time? Do certain devices or persons keep ‘falling out of compliance? Knowing this helps spot trouble areas requiring intervention.
- The goal is also to help your stakeholders – SecOps, ITOps, C-Suite and Device Owners to achieve consistent, uniform experiences overall.
S = Sufficiency: Is Security Meeting Business and Stakeholder Expectations?
- This concept is to determine if the security processes meet the needs of business AND cybersecurity and that they are enough and are balanced. It is not enough to say you are getting cybersecurity outcomes. Are you getting enough of them in the right places to say that your cyber risk is at an acceptable level overall? Each organization has a different appetite for risk, and this must also be accounted for. Sufficient for one is not sufficient for all.
- The goal is also to create automation and processes to ensure that you have enough security to meet expectations and that protections and business are in balance. Ensure your stakeholders have enough of what they need to meet their goals in cybersecurity and business.
So, there you have it – a very quick overview of the Security FOCUS concepts. You will see these concepts echo throughout our products as we release solutions that unify and align ITOps, SecOps, the C-Suite and Device Owners. This level of strategic thinking will help us all move from checklists of cybersecurity capability existence to the pragmatic business management of cyber risk.
For more information about BigFix, visit www.BigFix.com or Contact Us.