Monday, February 2, 2017 at 7:00 AM, as I finished registering for my 15th RSA Conference, I was provoked by a set of four billboards on the side of Moscone North. Here is the picture I took that morning from the second floor of Moscone West:
The Moment You Link Business Risk To a Security Incident That’s Business-Driven Security™. As someone who has been responsible for managing information risk and security for over 15 years, I can tell everyone with absolute certainty from the CISO, CSO, and CPO seat, this message is wrong. Not only is it incorrect, it is harmful. Harmful to your customers, to your shareholders, potentially to society, and in the end, harmful to your organization or business.
Does the 'RSA' in RSA Conference stand for Reactive Security Approach? Well, based on that trademarked statement on the billboards, and my reflection back the past fifteen years, it just might.
I have long believed that the security industry profits from the insecurity of computing. Therefore, most of the industry has no real economic incentive to solve the security problem. If you’re wondering why an industry created to solve security problems does not have the business incentive to solve it, congratulations, you’re asking the right questions.
I have witnessed this countless times in my roles and engagements with countless security vendors who want us to believe that compromise is inevitable and that we should just give up, be victimized, and just focus on speeding up detection of harm and response vs. proactively preventing incidents from occurring. A phrase, or variations of it, often said to customers looking to buy cybersecurity products is, “You’re going to be hacked, it’s just a matter of time. Recover quicker and find the bad guy.”
So, when I encountered these billboards, I was left once again with additional proof that I was right. The industry wants us to stay reactive and incident driven so it can profit from harm. There’s zero discussion in this phrase of how to protect customers and how to best stop the attacks from happening.
Business-driven security isn’t about linking business risk to an incident – unless you’re a security vendor who feeds off reactive detection and response, since that drives your business and your profits. I have said for years that business-driven security is about the mission of the information risk and security team - Protect to Enable. When you are protecting to enable people, data, and the business, you are proactively engaged upfront and aligned with the business on the evaluation of how to achieve the business objective, while best optimizing your controls.
I achieve that through my ‘9 Box Of Controls’ approach that I blogged about last year after RSA, and published in September of 2016 in the second edition of my book – Managing Risk and Information Security: Protect to Enable. It appears the industry still hasn’t caught onto the basics of enabling business while protecting organizations. Here’s a refresher:
You can also do that by implementing the NIST Cybersecurity Framework and continuously walking through the macro steps that it outlines.
Prevention Steps: Identify and Protect.
Reaction Steps: Detect, Respond, and Recover.
If implemented properly, this framework can set the stage for having the right discussion within an organization on information risk. It can also, when viewed in the context of the 9 Box of Controls, drive a ‘shift left and shift down’, which results in the lowest risk, lowest cost, least amount of liability, and lowest control friction spot – so we can all Protect to Enable.
Now let’s look at some data from recent surveys and studies to see how we are doing and what results are being achieved as an industry:
Piper Jaffray October 2016 – The Breacher Report
From what I saw at RSA 2017 this year and the data above, the security industry is a part of the problem. We need to do better. We have to do better. Otherwise, the potential we have in front of us with technological advancements that can benefit business and benefit society is in question.
JFK once said, “the problems of the world cannot be solved by skeptics or cynics whose horizons are limited by the obvious realities. We need men who can dream of things that never were and ask why not.”
My advice to business leaders is this - don't just throw money at the symptoms. Fix the problem.
I hope that we can all focus on NOT positioning the work of managing risk as an ‘either this or that’ function. Don't position business velocity vs. business control. Don't position needing to balance privacy against the need for security. If we start with a mindset of trading these items off against each other, we will not be successful, because we will design our digital transformation to be at odds with the digital control needed to do this right.
And then, we will be left with throwing money at symptoms after the fact, reactively detecting and responding to risk rather than fixing the problem from the ground up.