February 12, 2020 • The Recorded Future Team
What’s the best approach to enterprise security? The prevailing consensus in the industry has generally been threat-based or compliance-based approaches — but many organizations struggle to strike the right balance between technical tools and practical outcomes.
The answer is to focus on reducing risk.
During RSA Conference 2020, we’ll unveil our new book, “The Risk Business: What CISOs Need to Know About Risk-Based Cybersecurity,” to give you an actionable roadmap for success.
Author Levi Gundert draws on his decades of experience in the cybersecurity industry to develop a comprehensive framework for cybersecurity that emphasizes risk over threats. The key, he argues, is for the technical side of any organization to present intelligence to executives and other decision-makers in a language they understand: the language of risk. All operational outcomes must be framed in terms of profit, loss, and risk reduction.
The following is a sneak peek of chapter one of the book, which has been edited and condensed for clarity. Pre-order your full copy of “The Risk Business” today and discover how your organization can benefit from shifting to a risk-based approach to cybersecurity.
The Case for Risk-Based Cybersecurity
Building a successful cybersecurity program isn’t easy. One of the key factors is how you define success. In fact, if you define success the wrong way, you will end up with:
- A poor allocation of resources and time
- Misleading metrics that create the wrong incentives
- Grave failures of communication between security practitioners and management
That is exactly the situation where many cybersecurity organizations find themselves today. Their cybersecurity programs are either threat driven, focused on deploying industry best practice security controls to meet the latest cyber threats, or compliance driven, organized to “check the boxes” on security and privacy requirements produced by third-party standards organizations. Both of these approaches have grave flaws.
In this book, success is defined as a material and measurable reduction in operational risk. Adopting that definition of success will drive you to assemble processes and tools that lead to a better allocation of resources, meaningful metrics that drive the right incentives, and productive discussions between IT professionals, executives, and line managers.
In this chapter and the next, we will look at the differences between risk-driven, threat-driven, and compliance-driven cybersecurity programs. In the chapters that follow, we will describe processes and tools for implementing risk-driven cybersecurity and best practices for managing some of its prerequisites (especially threat intelligence).
If you are an information security practitioner struggling to relate to your business, this book is for you. If you’re an executive looking to make savvy security decisions based on strong risk metrics, this book is for you. This book will help you create a persistent information advantage for better security so your business can focus on being profitable.
Why You Should Listen to Me
Before we dive into these topics, I hope you’ll allow me to indulge in a little reminiscing as I describe my background in the field. I don’t want you to think I’m some guy on the street calling on you to upend your entire security strategy.
My first thoughts around the role that risk reduction plays in business strategies came when I was in university. I remember reading a book called “The Goal” in an operations management class. The book’s message — which is somewhat counterintuitive in our age of companies hyper-focused on revenue growth — is that profitability is the only meaningful business goal. For a business to thrive in perpetuity, every employee should be focused on that one bottom-line goal of increasing profits.
In the early 2000s, my work as a network security administrator gave me a front-row seat to many cyber events impacting operations at healthcare and financial services companies. Some analysts hypothesized that IT system interruptions were contributing to decreased productivity, resulting in lost revenue, but no one ever quantified the loss.
Fast-forward a few years. I was now sporting a badge and gun while pursuing cybercriminals around the world as a member of the United States Secret Service’s electronic crimes task force. I quickly realized that the concept of cyber threat intelligence (CTI) was critical to criminal investigations, aiding in suspect attribution and successful prosecutions. My successful cases started with proactive intelligence collection, almost always in coordination with brilliant minds in the private sector. I remember investigating the largest denial-of-service (DoS) attack at the time, and meeting Rabbi Rob Thomas, the CEO of Team Cymru (pronounced “cumree”), on the North American Network Operators Group (NANOG) mailing list. He was full of answers to the many questions I had.
It wasn’t long before I rejoined the private sector (no more flying armed, but better data). Between consulting for clients and contributing to the defense of an enterprise, I realized that a specific articulation of risk was the greatest challenge facing senior cybersecurity leaders.
Risk Is the Language of Business
Cybersecurity professionals tend to see themselves as business enablers. As defenders, they keep the bad guys out so that the business can operate uninterrupted.
However, the C-suite and board of directors are more concerned with profitability. Often, those at the top of the organization see cybersecurity groups as cost centers dragging down the bottom line. Changing that cost center perception is critical to building a successful cybersecurity program.
Someone once said, “There should only be two types of people in a business — those who make things, and those who sell things.” Today, there is a third category: those who defend things. This category is as necessary as the other two. However, while we have widely accepted procedures and metrics for measuring how people making things and people selling things contribute to the profitability of the enterprise (indeed, we have large accounting organizations set up to do exactly that), most organizations have barely started to think about how to measure the contribution of people who defend things.
How do you measure and communicate the value of a basic security control action? The answer lies in the language of risk. Senior decision-makers don’t necessarily understand the language of security or even technology, but they speak the language of risk.
As a cybersecurity professional, your goal should be to quantify, as a monetary value, how every potential cybersecurity investment in staff and tools can reduce risk. If you can do that, you will find it much, much easier to:
- Set priorities among alternative cybersecurity investments, based on real outcomes for the enterprise
- Justify budget requests for each investment, and for the overall level of investment in cybersecurity
- Work productively with executives and line management to estimate risk and find the most cost-effective ways to reduce it
Making the Shift
Ready to make the shift to a risk-based approach to cybersecurity? Pre-order your copy of “The Risk Business: What CISOs Need to Know About Risk-Based Cybersecurity” to help you get started.
And while you’re at RSA Conference 2020, be sure to stop by Booth 723 to learn how security intelligence can help amplify your security program and help teams make faster, more confident, risk-based decisions.