The Wonderful Strategy of Threat Tolerance

Has anyone else noticed that the new cybersecurity slogan seems to have become it’s better to be lucky than secure? It used to be security is a process, which lasted as long as businesses thought that cybersecurity would be something that gets them out of a jam.

But when they realized that all the money and resources they put into it didn’t always pan out for them 100% of the time, they decided to go with a risk strategy instead. Which basically ended up being let’s do the bare minimum we can get away with in order to keep our customers happy and just hope that nobody picks us as a target.

Now I’m all about luck. I love it. I love it when I find a few bucks on the street. I love it when the car actually misses me when the driver loses control. I love it when the raccoon chooses my neighbor’s garbage cans. I love it every time I win the lottery.

As a sophisticated purveyor of fortunate incidents however, I am disproportionally reluctant to admit that my good fortune is often the misfortune of someone else. “Hopefully the attacker gets caught and not my family - fingers crossed!” And I manage that issue by not thinking about it - which, by definition, is a solid risk strategy. And it’s one that’s been sweeping the globe.

A Sign of the (Insecure) Times

While you, my cybersecurity brethren and sisthren, were honing in on how to convince the business overlords to apply more cybersecurity to All of the Things (AotT), those very overlords decided that ‘good-enough’ security is when they wake up every morning in their gazillion thread-count Antarctic cotton sheets and see that luckily, nobody broke in yet. Phew! And if they did, well, maybe they didn’t find anything they liked and just left quietly, closing the (back)door behind them.

This phenomenon is known as Threat Tolerance. Well, known by me as I just made it up. But now it’s known to you too, and you can also take credit for it as if you made it up. Sharing is caring and all that.

This strategy basically surmises the attitude of: “why do we need to solve all the problems? Can’t we just enjoy them for a little while first?” Which makes sense if you also believe that if life gives you lemons you can make lemonade to sell. Which is how business actually thinks.

So if life gives you breaches, sell breachade. Okay, while there is no breachade at the moment, there kind of is. Sony spun their breach into a means for getting rid of troublesome actors, improving its rep from ‘just another corporation’ to ‘international bad-ass that a whole nation state is trying to squash’, and writing off a few movies instead of taking the hit over them. Maybe they even got some insurance money out of it.

However, the reality is that Sony has suffered from that breach in ways it could never really recover from. Oh no, wait. That was just wishful thinking on my part. As a New Yorker, we are raised to appreciate a good comeuppance. We had the Knicks after all.

But a good comeuppance doesn’t often happen in cybersecurity. Most businesses don’t see comeuppance whether they’re changing the climate, burning out employees, poisoning waterways, or losing our identities by the millions. We have millions of years of data on that. Don’t look skeptical at me. We so do. There’s whole Comeuppance Databases researched by Comeuppance Scientists who have Ph.D.’s in Comeuppology.

Business as Usual (For a Given Value of ‘Business’)

The thing is that the whole business of Risk in cybersecurity is nothing more than Threat Tolerance. How much threat can we live with as long as we can keep selling Skittles, or duct tape or aluminum sidings? And the answer varies from business to business, but mostly it goes from a surprisingly “very high” to “NASA was monitoring it with Hubble before it broke” kind of high.

Look, if big business knew that there was a clear and present danger that someone would break into the server room and set it all on fire they’d probably just buy marshmallows in bulk and sell tickets to a jamboree. And that kind of thing drives us cybersecurity people crazy. Well, those of us who are aware that it’s true. The rest would just keep trying to convince business to spend more resources so they could lock down tighter and then just complain later that they weren’t invited to the cook-out.

So, let’s talk risk again. I don’t know about you, but I think security means protecting everyone and everything. Or at least trying to. So, we should never start out with thinking about acceptable risks and collateral damage. I know it’s a part of the bigger picture, but it’s not how we should start – we should be building defenses based on protection and not by merely reacting when our existing (and usually inadequate) defenses are breached.

Therefore, deciding on a risk strategy puts you immediately into losses. Because you are very aware that sometimes you won’t react in time. Sometimes the criminal will have an exploit before you have a patch. Sometimes you will lose a little business from employees using their pet’s names as passwords, in exchange for not losing a lot of business from asking your helpdesk team to spend their weekends reimaging all your laptops. It really all comes down to luck. Then it’s really better to be lucky than secure.

But here’s the thing. If you start with protection and defending every single endpoint possible in the best way possible through separations, defense-in-width controls, and hardening systems with less services and less privileges to reduce your attack surface, then the ones who need to be lucky are the attackers. Which might still happen, if they’re lucky.

See, I’m not starting with risk but I know it’s still there and always will be, so all you risk analysts aren’t going to have to go back to only making millions day trading.

You know, I could write a hundred pages on this topic, but I won’t, because those of you who get it already stopped reading and those of you who don’t already stopped reading. And the rest of you just kept reading in case I’d make another raccoon analogy. And you’re now disappointed.