You Haven’t Been Breached – But Have You Been Bold?It's time to rethink how we measure the success of a security program By: Jon R. Ramsey
When our job is IT security, what often first comes to mind is protecting information assets from compromises. As security leaders, we focus a lot of attention on risk mitigation and resiliency – protection from cyber threats and preparedness to detect and respond quickly. These are the foundations of a strong cybersecurity program and yet your program's efficacy cannot be measured by examining these criteria alone. Threats to the business do not always come in the form of nefarious cyber-criminals. Too often, the lack of a compromise is considered a primary success indicator, but if the prohibition of technological innovation is a byproduct of the strategy, can we really call it a success?
The first job of a security leader is to not get in the way of the business. The second job is to not let anyone else get in the way of the business.
Security Should Enable Businesses to Make Bold Moves
Technology is advancing at an exponential rate, and from a security perspective, new technologies mean the introduction of new vulnerabilities. But if security is doing its job, it should allow the business to adopt the technology to its fullest potential. Let's say a hospital wants to introduce the latest imaging capabilities – if its ability to improve the standard of care relies upon new technologies, then letting a vulnerability prevent adoption could compromise the well-being of patients.
Look at tech giants like Google, Apple, Tesla – the way we get information or listen to music, the way we drive, even the way we call an elevator – all of these daily activities have changed substantially even in the last couple of years. Now imagine 100% of your revenue comes from technology you've built. The vulnerabilities within that technology represent risk, but the solution cannot be to stop innovating. The sign of a great security leader isn't exclusively measured by preventing a compromise. But whether it's an attacker taking down your network for malicious purposes or a CISO telling your company to take down your network because of the risk, the outcome is the same. A great security leader enables innovation because they've figured out how to mitigate the risks while pursuing new technologies.
But whether it's an attacker taking down your network for malicious purposes or a CISO telling your company to take down your network because of the risk, the outcome is the same.
Amending the Security Mindset
The idea that security stifles innovation still permeates across industries. Even in the security space itself, we see missed opportunities to innovate because there's an inherent risk. But if security is to be effective and allow for innovation, we have to redefine success and apply methodologies that do both. Focus on situational awareness about how the technology will be used and what value it offers.
- Is the technology important enough to the business to find a way to secure it?
- Is it providing a critical service?
- Does it have access to confidential information?
- What's the attack aperture?
Assess the situation based on a set of questions like these and then take action to mitigate the risk. Minimize the aperture and for the aperture that remains, be in a position to prevent attacks by maintaining visibility and situational awareness of the technology in case something happens. Threat modeling can be valuable in developing your plan to prevent attacks and constraining how attackers gain access. Be in a position to detect and respond to a potential compromise. Controlling what happens in your environment is a powerful thing that enables for a bold use of technology. The amount of security rigor you need depends on your risk tolerance, but the risk aversion of your organization should be weighed against the opportunity for the business.