Cyber security is failing society.The unsustainable level of cyber-crime, cyber espionage, and cyber war is a serious issue with the potential to drastically impact the fabric of our society. Many disagree on the magnitude of the problem, but not that it is a serious problem.
In some areas cyber security is not taken seriously enough, while in others, leaders don’t know what to do. We - as cyber security leaders - are partially to blame. Boards and senior leaders are being told to pay attention to cyber security and they would like to, but they have a limited understanding. Senior leaders think strategically and we need to think and communicate strategically. Most executives today can articulate a level of risk tolerance but they don’t know whether their organization has achieved it and achieved it in an efficient way. This makes cyber security seem opaque.
The aspect of our environment that differentiates it from the rest of our organizations is Cyber War. The preamble of the U.S. Constitution calls for the Federal Government to “provide for the common defense.” This has worked well for a few hundred years. However, the federal government is specifically precluded by the Constitution from providing for the common defense in cyber space. The huge number of attacks on our networks by foreign governments indicates some level of conflict. If the destruction to Sony had been done by physical weapons it would have clearly been an act of war. I think we can make a credible argument that we are currently in a low intensity cyber war. So not only do we have to protect our organizations from criminals, but we have an important part in defending the Nation.
Most high level cyber security discussions center on risk management. Rather then the end, risk management is an important step to a strategy. Once the organization’s leadership determines appropriate cyber risk, then the CISO must come up with a strategy to achieve that risk level as efficiently as possible.
My definition of strategy is a “plan that allocates resources and sets a framework for decision-making to achieve long-term goals.” It must include all three parts to be an effective strategy. It must prioritize resources use. Who needs a strategy if you have all the resources you need? If must allow people at all levels to make decisions large and small that align with the strategy. Finally, it must be a plan to achieve long term or strategic goals.
There are three characteristics of cyber security that suggest a different approach than the traditional “strengths, weakness, opportunities, threats” or SWOT analysis. First, cyber security will always be a function of the whole organization; it never stands alone. Second, cyber security is reactive and not pro-active; the attacker choses the time, place and method of the attack. Finally, cyber security is asymmetrical; actions are available to our adversaries that are not possible for us. So rather than SWOT we must look at the risks and the constraints.
I think of risk as the likelihood that a threat occurrence will result in an adverse impact. Determining likelihood comes from understanding how valuable your information is to the attacker. We determine risk by looking at our assets from the perspective of the attackers; understanding what they want and how badly they want it. Then we look at the adverse impact on our organization should the attackers succeed. This understanding is critical to creating a cyber security strategy. Understanding the range of threats your organization faces is the first step.
We must understand the constraints on the cyber security program. The idea with constraints is that we all pretty much know what we’d do in a perfect world, i.e., unlimited funding, complete cooperation, many talented staff, etc. But we don’t live in a perfect world, so we must understand the constraints of the environment. These are the most important constraints a cyber security program faces: Funding, Regulations and Laws, Staff Time and Talent, Business Overhead, Political Capital, Accountability, and Calendar Time.
Governance is a critical part of cyber security and must be part of the strategy. Heavy governance can build trust, gain more money, increase the amount of security overhead and relax many of the constraints on the cyber security program. Heavy governance can also slow decisions and lead to poor outcomes. Light governance is much more agile, but likely to operate with heavier constraints.
Developing a cyber security strategy requires choosing some “security patterns.” Example patterns include: Kill Chain. People-centric, Security zones among many others. Then using a matrix approach to address key functions: Identify, Protect, Detect, Respond and Recover with resources: Technology, People, and Process. Once you have identified the projects and initiative you must create a plan. Sequencing these initiatives converts the analysis into a plan. This addresses two of the three parts of the strategy.
The final part is to communicate the strategy so that people can use it to guide them. A strategy that someone can keep in their head fits on a single slide. There are two effective ways to fit a strategy on a slide. One is to use the old standby of bullets. Text phrases that capture the essence of your strategy. The other is a diagram. Both can be used in a presentation of 2-5 minutes that also create a memory aide for your audience.
When you first start communicating your strategy get all the feedback you can. Study the faces of people in your presentations. Talk to people afterwards. Chances are that you’ll want to modify your communication over time. You’ll find words and concepts that make perfect sense to you are lost on some stakeholders or worse evoke a bad reaction.
I’m tempted to say that communicating your strategy is the most important part, but I won’t. What I will say is that if you don’t effectively prioritize your resources and communicate a plan that achieves the right risk level you will struggle as a CISO and your organization will struggle with cyber security.