In cybersecurity, so many times the wrong questions are being asked. Case in point. Executives are notorious for asking IF their organization is secure, rather than HOW secure are they. It is a subtle difference but an important one. The question frames the problem and therefore defines how it will be perceived and answered.
Cyber security cannot be properly described in terms of yes or no. The crux of the dilemma is because the answer invokes flawed preconceived assumptions. Phrasing the question in that manner assumes if you are secure, then you won’t be compromised or impacted. Audiences may believe no further attention or resources are required. Conversely, if the answer is you aren’t secure, the implication is you will surely be victimized. Yet, it is just not that straightforward.
Security is about managing risk. More specifically, the risk of loss which can include damages, downtime, reputation impacts, regulatory non-compliance, customer and partner goodwill, opportunity costs, etc. Risk is a gradient scale which depends upon vulnerabilities, controls, threats, time, technology, behavioral elements and other factors. Risk is a sliding scale that changes over time, sometimes radically.
Pursuit of a preconceived security state, where total avoidance of loss occurs and no future investment is required, is an illusion. The threats are continually changing, adapting, and improving ways to undermine protections. Cyber security is an ongoing set of practices and controls, which are investments in the management of risk-of-loss. Regardless of the security investment, every compute environment will always have some degree of weakness. No system is perfectly secure, impervious to attack, or immune to compromise. Losses can, and likely will happen over time. In today’s business and internet connected environment, every organization gets compromised. The difference is some realize it and others remain unaware.
The situation is ironic as we in the heart of the security industry are largely at fault for propagating false perceptions of how to measure and describe success. Years ago, it was a way of simplifying the challenges to management and getting rapid buy-in for initial investments into security. Professionals and industry advocates justified the means by achieving results. But now, we are suffering because of it. The real question which should be asked is more about the tradeoffs between costs, risks, and productivity.
What the people really want to know, is are they secure enough. Which does require the daunting task of defining what is an acceptable baseline of risk. This uncomfortable perspective is part of the beauty of this line of thought. It is a forcing function. Management should be thinking in those terms. Effective controls can improve system availability, protect valuable information, and keep customers from being unhappy. But everything comes with a cost. The amount of security should be related to the tradeoffs in pursuit of the optimal level of risk management.
From now on, don’t ask if you are secure. Instead ask ‘how’ efficient and effective your security program is in comparison to meeting the investment expectations. Understand the answer is about costs versus reductions in risks and the expected residual losses. This will help everyone understand if tuning or changes are needed.