How smart organizations implement security

There are a number of ways in which organizations can improve their cyber security - a few smart ones and many dumb and expensive ones. It is the role of an effective security leader to ensure that their organization gets the most out of the smart ways to improve security, and avoids the dumb ones as much as possible.

In the last decade, I have come across [1] four methods: three (dumb ones) seem to be in widespread use, and the fourth (smart one) seems to go largely unnoticed. The four methods are:

• The FUD bomb
• The Risk based strategy
• The Compliance strategy
• Guerilla tactics

The first three are the losing methods. The FUD bomb used to be popular with vendors of security technology, and in its normal incarnation consisted of hour-long sales talks in which the first half hour was devoted to scaring the pants off the potential client, after which the product to be hawked was delivered--deus ex machina fashion--as the savior with blinking lights to make it all go away. The security holes left by this approach do not need laying out to anyone who's spent more than a few months working in cyber security, executives have now cottoned on to and largely immunized themselves against this sales tactic, and it can be considered ineffective at this point.

The Risk based and Compliance based methods are sort of complementary in their effects, though both are failures. The problem with using Risk and Compliance as a driver to security spend is that it ties the security leader up in ROI [2] discussions which are impossible to win. Usually, the compliance-based discussion ends up with a certain percentage coverage of pre-set security controls, which is then deemed 'acceptable' from a risk perspective.

Even the run of the mill not-so-serious cyber security event cannot be tackled with the cyber defense resulting from a risk and compliance approach: this is the sort of cyber defense a good hacker usually runs rings around. Hackers just are experts in finding that 15% of your 'compliance' that is yet not covered by controls. A daily report of failed authentications, for instance, is utterly ineffective against an intruder who pivots hourly. Of course, in the event, you do not get the 'penetration testing report' to fix your problems at leisure. Instead, you're pwned, and it's up to you, whatever logs and data you have, and the victims to figure out what just happened.

Serious cyber security events with the potential to be company-terminating are typical long-tail, black-swan events that do not fit with risk frameworks at all. A company termination event is the moment at which the risk and compliance discussion is losing its meaning entirely, and is therefore 'out of scope' of such discussions.

This leaves us with the guerilla tactic to run a security team. I will have much more to say about that later, but for now, consider this: the main tactic of guerilla warfare is using someone else’s resources augmented with agile and highly pluggable minimal infrastructure to achieve your goals. Effective security teams work this way, and that is what makes an effective security a somewhat different beast in any IT organization.

[1] And have also tried to use, to my shame.
[2] Return on investment