Cybersecurity is a Business Decision Process, Not an IT Problem
Last year, Gartner, a research and advisory group, published an article about treating cybersecurity as a business decision rather than an IT problem (ID G00466055). The article is long, so the TLDR version is that most companies are asking the wrong questions about cybersecurity, which leads to bad investments. Due to these wrong questions, businesses are taking the wrong approaches to their cybersecurity, and ending up with a security posture that does not have the right levels of protection. Let’s unpack that in language we can all understand.
Perception is Reality
For most of us, when we see a problem, we want a fix for it. In this respect, Cybersecurity is no different. Unfortunately, we also treat cybersecurity like some sort of black magic. IT security people are treated like wizards who wield this magic. Business owners pay them money to craft ‘spells’ that ward off bad guys. The wizard gets no business information to work from, and if something goes wrong, obviously we need new wizards!
Sure, we see the absurdity of that scenario. Unfortunately, this happens all the time. We, as business owners, need to alter how we see cybersecurity and our wizards. We need to start seeing cybersecurity as a business decision process that happens continually, and the wizards as our CISO (Chief Information Security Officer) who can give us actionable data with which to make decisions.
Questions we should be asking
When a business owner has to make a decision, we want to know four main things; how much does it cost, what risks will we incur, can I quantify the first two in terms of the chance of something happening, and what rules do I have to follow that affect any of that? Again, let’s put this into easy scenarios so we can understand it better.
How much?
Our wizard has asked for funding for a cybersecurity initiative to better protect our organization. We said “Sure!”, and then wrote the check. Later, when we had an incident, our attitude is “We gave you what you asked for why didn’t YOU protect us?” We should have been asking about the initiative and how it would protect the organization. Did it address all our needs, our people, stakeholders, data, etc.? What does this initiative look like from a business context, not just from a cybersecurity aspect? Is it the best spend?
What’s the Risk?
Our wizard is back with a new initiative. He has given you the costs, put it into a business context and clearly put some thought into it. He has also mentioned that there are a few risks with this initiative. As the business owner, you have a risk tolerance. As the wizard lays out what the risks are, you can decide if they fall into your organization’s tolerance levels. If they do not, then the initiative is not worth the spend. The important point is that you are reviewing it in a business context, not just as a measure of lowering your risk.
How can we Quantify that?
The next bit of black magic your wizard has come up with is pretty darn cool. You also know that the board needs it to be quantifiable. Developing defensible results, flow charts, and graphs can be an expensive burden. A burden that will almost certainly produce the results you want to see, because you can manipulate the data to do so, and because you have put so much time and effort into it, you will be sure it does. Be sure an actual exercise for how the result would be used with real business data is part of the decision. The three questions to ask here are: is it worth it to even try to quantify it? Can the data that is being used be manipulated to show a desired outcome? Finally, is this a daily decision sort of thing we should be investing in anyway?
But are we compliant?
Wizards Union Local 404 says that for spells to work properly you, the wizard must have: a pointy hat, a robe with stars on it, round glasses, and a wand. We already know that spells don’t always work (and we totally had the pointy hat and other things), so being complaint does not equal protection either. Compliancy isn’t a bad thing, in fact it’s a great way to find a baseline. What it doesn’t do is address your specific business concerns about risks or controls that are important to your business. The important questions are: Do we fall into an industry that is regulated, or do we have to follow guidelines like HIPAA, PCI, SOX, or GDPR? Should we use ISO, NIST, or SANS controls as a baseline? Are we using business data to determine where to focus the spend instead of a checkbox in an audit?
Now that we have the right questions to start asking about cybersecurity, how do we put a standard in place we can follow?
CARE standards, for Cybersecurity?
We know we can never completely and totally protect our businesses. In fact, we must assume we will experience a breach or a hack. What we can do is create adequate, reasonable, consistent, and effective controls that are both credible and defensible. These four characteristics of a good security posture give a balance of protecting your business while still keeping your business running.
Cybersecurity is a business decision and the choices you make. Applying adequate, reasonable, consistent, and effective controls show your employees, stakeholders, and customers that you are making the right decisions, and doing what you can to improve your security posture.
The need to treat cybersecurity as a business decision has never been more important. Now you have the right questions to ask, the right people (or wizards) to guide you, and the tools to help you do it.
Next time we will focus on the goblins (employees) in your own organization that your wizards (CISO) must battle to keep your organization safe even from itself.