What if your cybersecurity is based mostly on bullshit?
As Professor Harry G. Frankfurt of Princeton University once wrote,
‘One of the most salient features of our culture is that there is so much bullshit.’
And nowhere is this is more true than in keynote speeches at cybersecurity conferences. But all that bullshit is there for a reason. What would happen if you stripped out the double-talk of the Thought Leader CISO? You'd get something more honest and truthful like this…..
Cybersecurity is a means, and not an end. And as a means security is always about risk in the sense that more things can happen than will, and under these conditions security risk management is about making a decision and accepting a set of tradeoffs.
This might seem like an odd thing to acknowledge, but one of those tradeoffs is deciding how many security incidents is the right number of incidents for your business. That number can’t be unbounded, and it can’t be zero either, as zero probably means you’re overspending on protection.
And if you’re overspending your finite capital on protecting value that means the tradeoff you’ve implicitly made is not spending that same capital to grow your businesses revenue, enhance your customers delight or shrink your operating costs. No CEO or Board of Directors is going to tolerate that tradeoff for long. Security failure must be an viable option, even if no one recognises it, or wants to acknowledge it.
There will never be a one-size-fits-all answer to the above question, but getting to a qualified answer must be context dependent. For example a threat model for an embedded medical device would be entirely different than a warehouse inventory control system. But nevertheless, the context that actually matters to you will have to have an attack surface metric, and that performance metric must be meaningful and scaleable.
Lets face it, none of the above will fly in bare form on the conference circuit, instead load up a bunch of “Advanced Persistent Threat“, “Operational Threat Intelligence“ or “Dark Web” and then you've got cyber dazzle.
Or you could be honest with yourself and recognise that you’re ignoring the need for contextualised performance measures to inform your cybersecurity strategy as an input. These performance measures need to be not merely an input to strategy, rather than an output of the strategic process, but also designed specifically to provide information that supports the decision making process and tradeoff analysis.
So, go on, be honest with yourself, what’s your cybersecurity really based on?
H/T to Mitch Sullivan for introducing the work of Harry G. Frankfurt. Harry can be watched here, his book is available here.