I think if Mel Brooks made "Blazing CyberSecurity" today, his quote as Governor would be "Threats, Threats, Threats."
Yesterday, I chaired a panel for the Northern Virginia Technology Council on cyberthreats. Had some great panelists talking about the results of their company's threat reports, along with words from NIST on the security framework effort triggered by President Obama's Executive Order:
The first three had great presentations on threats, and I could have had someone from PwC present on their "Cyberthreats Continue
" report, where they say CEOs are "misjudging the severity of risks they face from a financial, reputational, and regulatory perspective.
"I know we would all like to believe this, and certainly many are. But the vast majority actually really do weigh those risks, using the same formal or informal thinking they use to judge the risk of investing in a new product, or doing a merger or acquisition. Too often they find the cost of dealing with those security risks from a business disruption and budget point of view are actually higher
than their anticipated cost of not
funding and deploying mitigation - and they are quite often right.Risk management is not
making sure you have no cyber risks!! Risk management done right will often take risks when avoiding the risk is worse than the alternative - that is why many battles are won and many new business initiatives succeed, even though many fail. The real leaps forward are not made by convincing management about threat risk, they are made by showing them solutions to the risks that are less disruptive and less expensive to the business than enduring the breach.
Fittingly, most of the audience questions were not about the threats discussed, they were along the lines of "OK, that's nice - but how do we convince management they need to fund us to do something?" Now, imagine if a business manager went to the CEO and said "Competitive threats are increasing!! We need to do something!! It is scary!! Give me some money!!"
Now, a pause here to address the "Return on Investment" myth. Dogma says that "well, business guys get funding because they present ROI and we (need to/can't) do that in security." If you look at the reality of how CEOs or venture capitalists make investment decisions, you find that most of them realize ROI or future sales/revenue projections are about as accurate as weather forecasts - they usually make their decisions based on the quality and track record of the team that will run the business, and their judgement on opportunity costs - if I spend the money here, how will that disrupt my business by depriving funding from some other area of business or investment.
That captures where we are today in security: we don't need to keep flogging the threat, we need to be able to propose solutions that don't disrupt the business and cause a huge opportunity cost, regardless of the actual procurement cost of the solution. Simple example: BYOD solutions that propose "back to the mainframe" approaches like making users use dumb terminal apps or total lockdown on their smartphones or tablets; or the US Government trying to force government employees to use Smart Cards (remember those?) for authentication on mobile devices...
Coming up with solutions that balance business disruption and security is harder (much harder) than flogging the threat or pushing draconian solutions. But, the interesting part is there actually are a lot of success stories out there. At Gartner I used to love doing Case Study notes when I found these and could get the user to talk about them, and at SANS we are building back up the What Works
and other programs where we highlight these solutions that solved security problems (not all!) and enabled the business or the mission at the same time.
So, Mel - a suggestion for that line in the new movie: "What Works? What Works? What Works?"