Monday, February 2, 2017 at 7:00 AM, as I finished registering for my 15th RSA Conference, I was provoked by a set of four billboards on the side of Moscone North. Here is the picture I took that morning from the second floor of Moscone West:
The Moment You Link Business Risk To a Security Incident That’s Business-Driven Security™. As someone who has been responsible for managing information risk and security for over 15 years, I can tell everyone with absolute certainty from the CISO, CSO, and CPO seat, this message is wrong. Not only is it incorrect, it is harmful. Harmful to your customers, to your shareholders, potentially to society, and in the end, harmful to your organization or business.
Does the 'RSA' in RSA Conference stand for Reactive Security Approach? Well, based on that trademarked statement on the billboards, and my reflection back the past fifteen years, it just might.
I have long believed that the security industry profits from the insecurity of computing. Therefore, most of the industry has no real economic incentive to solve the security problem. If you’re wondering why an industry created to solve security problems does not have the business incentive to solve it, congratulations, you’re asking the right questions.
I have witnessed this countless times in my roles and engagements with countless security vendors who want us to believe that compromise is inevitable and that we should just give up, be victimized, and just focus on speeding up detection of harm and response vs. proactively preventing incidents from occurring. A phrase, or variations of it, often said to customers looking to buy cybersecurity products is, “You’re going to be hacked, it’s just a matter of time. Recover quicker and find the bad guy.”
So, when I encountered these billboards, I was left once again with additional proof that I was right. The industry wants us to stay reactive and incident driven so it can profit from harm. There’s zero discussion in this phrase of how to protect customers and how to best stop the attacks from happening.
Why We Should Protect To Enable®
Business-driven security isn’t about linking business risk to an incident – unless you’re a security vendor who feeds off reactive detection and response, since that drives your business and your profits. I have said for years that business-driven security is about the mission of the information risk and security team - Protect to Enable. When you are protecting to enable people, data, and the business, you are proactively engaged upfront and aligned with the business on the evaluation of how to achieve the business objective, while best optimizing your controls.
I achieve that through my ‘9 Box Of Controls’ approach that I blogged about last year after RSA, and published in September of 2016 in the second edition of my book – Managing Risk and Information Security: Protect to Enable. It appears the industry still hasn’t caught onto the basics of enabling business while protecting organizations. Here’s a refresher:
You can also do that by implementing the NIST Cybersecurity Framework and continuously walking through the macro steps that it outlines.
Prevention Steps: Identify and Protect.
Reaction Steps: Detect, Respond, and Recover.
If implemented properly, this framework can set the stage for having the right discussion within an organization on information risk. It can also, when viewed in the context of the 9 Box of Controls, drive a ‘shift left and shift down’, which results in the lowest risk, lowest cost, least amount of liability, and lowest control friction spot – so we can all Protect to Enable.
Now let’s look at some data from recent surveys and studies to see how we are doing and what results are being achieved as an industry:
2016 Europol Internet Organized Crime Threat Assessment Report
- Increase acceleration of previous trends
- APT and cyber crime boundaries blur
- Majority of attacks are neither sophisticated or advanced: techniques are reused, recycled, and re-introduced
- Investing in prevention may be more effective than investigating
2016-2017 National Association of Corporate Directors Public Company Governance Survey
- Cybersecurity threats are expected to have the fifth greatest effect on a company in the next 12 months
- 75% of respondents report short term performance pressures compromise management and the board’s ability to focus on the long-term
- Directors continue to wrestle with effective oversight of cyber risk. Many of them lack confidence that their companies are properly secured and acknowledge that their boards do not possess sufficient knowledge on this growing risk
ISSA Through the Eyes of Cyber Professionals – Part 2
- 45% of cyber professionals think their organizations are significantly vulnerable to cyberattacks
- 47% think their organizations are somewhat vulnerable to cyberattacks
- 40% of cyber professionals want goals established for IT around cybersecurity
- 44% of cyber professionals indicate they do not get enough time with the board
- 21% say that business and executive management treat cybersecurity as a low priority
- 61% of CISO turnover is due to a lack of a serious cybersecurity culture and not active participation from executives
Piper Jaffray October 2016 – The Breacher Report
- Based on correlation analysis, there is a 74.1% correlation between breach activity and revenue growth for the security industry
When the Solution Becomes Part of the Problem
From what I saw at RSA 2017 this year and the data above, the security industry is a part of the problem. We need to do better. We have to do better. Otherwise, the potential we have in front of us with technological advancements that can benefit business and benefit society is in question.
JFK once said, “the problems of the world cannot be solved by skeptics or cynics whose horizons are limited by the obvious realities. We need men who can dream of things that never were and ask why not.”
My advice to business leaders is this - don't just throw money at the symptoms. Fix the problem.
I hope that we can all focus on NOT positioning the work of managing risk as an ‘either this or that’ function. Don't position business velocity vs. business control. Don't position needing to balance privacy against the need for security. If we start with a mindset of trading these items off against each other, we will not be successful, because we will design our digital transformation to be at odds with the digital control needed to do this right.
And then, we will be left with throwing money at symptoms after the fact, reactively detecting and responding to risk rather than fixing the problem from the ground up.