Unlocking the Black Box of Prioritization

What I’ve Been Thinking About?

If you know me, you know that I tend to follow the KIS principle of “keeping things simple.” When I talk about daily security operations and what I would call security hygiene, I always emphasize that you can have as much tooling and automation as you possibly can, but at some point, the simple truth is that someone still has to do the work.?

So the biggest question that has driven me for a long time is how do you prioritize your work? When I led a security team, I knew we had limited resources in terms of time, money, and people. I had to resolve that we couldn’t accomplish everything we wanted in the amount of time we had, so I was constantly trying to figure out a way to identify the most important initiatives we should be working on right now. Unfortunately, while it seems obvious, prioritization in security is not as objective as one would like and everyone is going to have an opinion. Therefore, you have to apply some form of objectivity to your security initiatives in order to help answer the key question of what is the top priority.?

To me, the logical process to get there is to assess your security posture (repeatedly) and prioritize the remediation of the findings from those assessments. The biggest element in that process is to ensure that, of the findings that have been identified, you prioritize the right fixes in the right order to result in the largest reduction of risk. Then as you continue to follow and track this process, you can begin to demonstrate the progress you’re making and show an ROI on your security resources. This process may even give you data that can become ammunition for further investment.?

It’s a simple process, but the factor that is the most important is being able to prioritize the findings from your security testing. I’ll focus on the types of testing you should be doing in a separate article, but let’s assume your testing is identifying issues that need to be addressed. The best thing you can do is assign an objective formula or weighted algorithm to help stack rank those issues. This algorithm affords you the opportunity to provide business and environmental context to your prioritization that you won’t get from simple automation or even a CVSS score. Your added context is the key to unlocking that black box of prioritization so everyone on the team can align.?

A scanning tool doesn’t know the context of the assets it’s scanning and thus cannot provide the full picture of the true risk of its findings. Hence why you need to have a way to score those findings within the context of your organization, environment, and compensating controls to truly identify findings in a prioritized fashion. What is also important, is that with this contextual scoring algorithm, you now have the ability to adapt with your business needs over time. The algorithm can adapt and still provide the objectivity needed because as you adapt, the algorithm can objectively re-score the issues and thus give you a perspective of prioritization based on adjustments to the business context.?

Again, I know this sounds simple, but simple doesn’t mean easy. Adding business context to frameworks and scores from tools or vendors to arrive at an objective scoring equation for your organization can be hard, but it is important. It’s easy to get caught up in the whirlwind of security tooling and end up with lots of data but no way to use it expediently. Start with the basics of establishing a good process for identifying your key risks, prioritizing them, and then showing your progress over time. Without that process in place, you’ll spend a lot of time and money chasing alerts, findings, and risks without any way to show why you’re doing what you’re doing. Nothing leads to burnout and feeling overwhelmed faster than that.?

In the “test, fix, validate, repeat” process of an effective security program determining how to effectively prioritize what to fix first can be the most mystifying part. Invest the time in figuring out an objective scoring system for your organizational context and those cycles will become faster and easier.?

Start With Why

My Musing on Leadership

Leaders are readers is an adage that tends to be true. I’m a huge leadership junky. I have always taken leadership seriously and recognized early on that leadership is a skill just like any other. It must be trained, honed, and developed. Leadership is also not just a role of people managers. In fact, if you don’t have any leaders in your organization that don’t manage people, you’re in trouble. While I don’t claim to be the perfect leader, I do think it’s important to focus on leadership principles just as much as any other skill we should be developing.?

So with that being said, I’m a huge Simon Sinek fan. I’ve had the opportunity to hear him speak a few times and have read his books as well (“caveat emptor,” a majority of my “reading” is via audiobooks). Sinek may be most known for his talk and book “Start with Why.” The core tenet of this paradigm is that knowing your purpose as a company, individual, or team is what drives true transformation and inspiration.?

We live in an era where we all ask questions and find it hard to simply follow a path without asking why we’re doing something in the first place. As a leader, casting the vision, sharing the vision, and repeating the vision is absolutely essential for getting the best of your team. By defining and reiterating the “why” behind what you’re doing, your team draws from a sense of purpose, meaning, and, ultimately, fulfillment.? Sinek summarizes it best by saying, “People don't buy what you do; they buy why you do it.”

“People don't buy what you do; they buy why you do it.”?— Simon Sinek

TikTok Security in the News … Again

My Thoughts on the Latest Cybersecurity Headlines

Having worked for the DOD in my career, I’ve taken a particular interest in the progress of the legislation that if signed into law could constitute a ban on TikTok. The DOD raised concerns about the social media platform a year ago, and bipartisan apprehension from Congress, the White House, and the general public in the US hasn’t gone away. The recent vote by the House to pass this legislation that would effectively ban the app unless it is sold within six months represents a messy dichotomy in cyber with concrete questions of security at one end and existential questions of personal choice at the other.?

As a security professional, I see the risks presented by TikTok as very clear. In my almost 20 years of experience in cyber, I’ve been exposed to reports and briefings on advanced threat actors, much like what I assume House members received outlining top intelligence and national security agencies’ analysis of TikTok, as reported by NPR . For the House to overwhelmingly pass (362-65) the legislation after “a rare 50-0 committee vote moving it to the floor,” according to ABC News , tells me that the information about TikTok, which the public isn’t privy to, is extremely compelling.?

Some find the stated security concerns, including that the “Chinese government could use TikTok to spy on Americans, push pro-China propaganda, or use the service to interfere in U.S. elections” according to an NPR article , as lacking concrete evidence. A recent BBC article argued, “The overall picture, then, is one of theoretical fears - and theoretical risk.” I contend that all risk is theoretical … until it’s not. In offensive security, we are constantly seeking to proactively identify and assess theoretical risk before it becomes actual and to present potential risk clearly so our organizations can make choices about the level of risk they are willing to accept. This is the whole notion of threat modeling to aid in identifying key gaps in your security posture.

The interesting thing about the current situation is watching the question of acceptable cybersecurity risk play out not within a private organization but rather in public policy, which could affect not only national security but also personal choice of citizens. I think this situation in and of itself is an interesting topic of discussion because I absolutely recognize the security implications of TikTok and the threat it seemingly poses on the security of its users and organizations. And I also recognize the precedent such a ban could set with respect to personal choice, privacy, and a free market.

From a corporate point of view, and even regarding government entities and employees, restricting TikTok is more than justifiable. We are well aware of the policies and practices of the CCP — to which ByteDance is surely not immune — and the threat those pose to national security. However, banning TikTok for the whole of the American public sets an interesting precedent and has far-reaching implications.

I look forward to the conversations we must have about those implications and the balance that is so difficult to strike between security, privacy, and personal freedom. Where do you fall on the spectrum when it comes to the TikTok legislation??

Referenced Sources?

https://abcnews.go.com/Business/wireStory/tiktok-bill-faces-uncertain-fate-senate-legislation-regulate-108456591 ?

https://www.amazon.com/dp/1591846447?ref_=cm_sw_r_cp_ud_dp_AEBVPZSSGAHZY21639CX ?

https://www.bbc.com/news/technology-64797355

https://www.darkreading.com/cyber-risk/tiktok-ban-raises-data-security-control-questions ?

https://www.defense.gov/News/News-Stories/Article/Article/3354874/leaders-say-tiktok-is-potential-cybersecurity-risk-to-us/ ?

https://www.npr.org/2024/03/13/1237501725/house-vote-tiktok-ban

https://www.npr.org/2024/03/14/1238435508/tiktok-ban-bill-congress-china ?

https://www.youtube.com/watch?v=u4ZoJKF_VuA