Cybersecurity is a lot like driving; towns and cities and their respective road crews can keep roads in ace condition and post all kinds of clearly marked signs for speed limits, road hazards, dangerous curves, blind driveways, and the like. Police can patrol the roads for dangerous or illegal driving.

Running down a dream

Reading the daily security news, as many in the field do, I came across this quote on InsuranceThoughtLeadership.com, written by Scott M. Kannry, CEO of Axio Global:

“Anybody who knows anything about cyber is likely thinking, ‘It’s impossible to solve cyber risk!’ But what if we redefine ‘solve’ as: ‘to provide security leaders and firms with an accurate picture of their cyber exposure, with the ability to effectively manage the risk and with resiliency when an event happens.’” 

Though the quote and the article in its entirety were referring to how cyber risk insurance can help “solve” cyber, it occurred to me that this quote can—and possibly should—be applied to cybersecurity in general.

I felt so good, like anything was possible

Cybersecurity is a lot like driving; towns and cities and their respective road crews can keep roads in ace condition and post all kinds of clearly marked signs for speed limits, road hazards, dangerous curves, blind driveways, and the like. Police can patrol the roads for dangerous or illegal driving. Car manufacturers can build cars with all types of safety features included. But at the end of the day, no matter how scrupulously manufacturers build vehicles, how highly regulated or enforced the laws, or how carefully drivers drive down the roads, accidents will happen. An animal could suddenly run into the road causing a driver to stop short and get rear ended. The car’s brakes could fail or a tire could go flat, forcing a collision. Excessive water on the road could result in the car hydroplaning into a ditch. Endless possibilities exist for monkey wrenches to appear in the system.

Just like security.

This is not new news to security practitioners; the industry knows (and lives) the mountains of obstacles which keep companies, data, and systems from impenetrability. Yet, despite knowing that no company is immune to a breach, the community hasn’t come around to the idea that managing security is actually managing shades of risk; security teams remain laser focused on the technical details for which they are responsible, failing to communicate to executive management, who want nothing more than to understand how security is helping the organization achieve business goals—i.e., reduce risk so the company can gain greater market share and generate more revenue. Executive management doesn’t expect security to be “perfect,” but security itself still considers any tree branch that falls into the road a “fail.”

I hit cruise control and rubbed my eyes

Nothing is absolute. In other words, as Kannry alluded to: “to effectively manage the risk with resiliency when an event happens,” security leaders first need to understand their cyber exposure and then translate that to risk—the language the business understands and uses. Whether doing so happens through working with a cyber insurance agency or some other means, that’s a different topic for a different post. The take away here, though, is that most security departments today are still deficient in the ability to create a clear, actionable risk profile for their organizations. 

One veteran MISTI conference speaker has frequently said that a portion of the problem lies in how security practitioners refer to and think about security: in terms of “winning” or “losing.” Anything categorized as either a “win” or a “loss” is absolute. And security will never be absolute. The industry has already accepted the fact that at some point every organization will be breached, so why perpetuate the “winning or losing” myth? Wouldn’t it be more beneficial to measure security against progress made, without any arbitrary goal line as a demarcation point?

People like the idea of winning, though, so perhaps instead of completely upending the accepted nomenclature, “winning” could be redefined as “reducing risk” or “mitigating incidents in a shorter timeframe with fewer losses” rather than “no incident whatsoever.” Leadership expert Michael Santarcangelo calls this concept “an infinite game,” an excellent analogy and one that means the industry doesn’t have to do a 180° on its thinking.

Workin’ on a mystery, goin’ wherever it leads

They key isn’t solving anything, in the sense that “solve” connotes finality, and there is no end point in security (pun intended). Instead, these shades of risk and making forward progress are the keys to effectively managing security programs and ensuring organizations remain resilient in the eventuality of an incident.