Years ago I remember Hollywood producing attempts at riveting yet profitable on-screen dramas which involved plot-centric cyber security elements resulting only in disappointment as they bore no resemblance to actual reality. Today as InfoSec becomes more mainstream there are now big and small screen serials involving a hacker protagonist or a cyber victim heroine. What I like about modern-day renditions is the themes and dialogue are no longer technically fictional. We live in the age of information and war is fought on the cyber battleground. Nothing is more relevant than the context of a personally identifiable subject. Still the Hollywood dramas, as realistic as they are, still leave a lot to roll your eyes at (or to cover your eyes at). Read More
Far too often, I meet companies who are excited when I arrive. They pull me into their data center and show me their new KYZ 5000 and go on to explain that it has ended all of their cyber security concerns. I review the device and find out that it is plugged in and has a flashing light somewhere in the front and that is the end of the story. Other times, I go to a site and find that the company has just purchased an ABC 1000; plugged it in, turned it on, and perhaps even configured it.
In both cases, I tend to ask what problem(s) the piece of equipment is solving. Most of the time, I hear a story like; “Mike, you don’t understand, Joe down the street just bought one and it has solved all of his problems!”
Unfortunately, I find that these are simply impulse buys or worse, auditor pleasers. When we actually take a look, they are not working the way the purchasing company believes they are working. I frequently ask the company’s representative how this purchase has helped to lower the company’s risk. They usually give me a blank stare and asked what I mean. I usually ask to see the company’s risk assessment. The person then goes into panic mode and begins a hunt for the risk assessment. After finding the risk assessment (and knocking a year’s worth of dust buildup off), I ask how the purchase has reduced the risks listed in the assessment.
It is usually at this point that I must explain that the risk assessment is designed to help organizations manage their security spend, the effects of security on the end user, and the true need for security. After reviewing the risk assessment together, we usually agree that had the organization used the assessment as it was intended, the same spend would have reduced risk a great deal more than the purchase of the equipment; perhaps the piece of equipment reduced the risk by .5% and spending the money wisely would have reduced risk by 30%.
Cybersecurity experts MUST be risk managers. They MUST ensure that the security program is being managed to enable the success of the business. When we do not use our risk assessment to perform our duties, we run the risk of over spending, over protecting, or simply wasting time, money, and resources. It is also crucial for us to understand that our roles require that we understand all methods of treating risk. Many, in our community, believe that we must throw technology at everything and that it will solve all. Even the vendors (at least the honest ones) will tell you that their technology is one part of an overall strategy.
Many would agree that their technology must be fully implemented from a technology configuration, policy, procedure, and corporate strategy standpoint; having the equipment plugged in, whether configured or not, is only one piece. On that same note, the technology MUST work in harmony with all other security strategies. I have yet to find a tool that will solve all Information security problems; as cybersecurity experts we must layer our approach to cybersecurity. Our approach MUST include training, risk management, policy procedure, company buy-in, and technology. Note that technology is last; without the first pieces, you have (BLS) Blinky Light Syndrome.
Blinky Light Syndrome (BLS) describes a device that is plugged in, turned on, but not doing what the owner thinks it is doing or what the owner wants it to do. It can be used to describe either of the scenarios I covered at the beginning of this article.
In conclusion, a risk assessment is not just used once a year, to show auditors that you have it. It is a tool that takes on a living role in your success as a cybersecurity expert. It grows with you, as you add new processes, technologies, or the business changes; the risk assessment grows. As your company divests, the risk assessment should be consulted and adjusted to reflect the changes. When you purchase new security tools, your risk assessment should aid you in determining exactly how the solution will need to be set up and configured. At Cyber Self-Defense, we make it our business to help your organization to steer clear of Blinky Light Syndrome and equip you to truly be secure!
I continually read posts from “Cybersecurity Experts” claiming that information security professionals should say “no” to the companies that we support. This manner of thinking is dangerous and downright wrong to me. Cybersecurity experts are technical risk managers who have the role of business enablement. Read More
The Cybersecurity Act of 2017 introduced in March sponsored by three bipartisan senators applies pressure to organizations by requiring disclosure of cybersecurity expertise serving on the board of directors. The legislature, if enacted, would enforce this disclosure first to public companies but sends a clear message that information security and cyber risk management is a much needed, but lacking, skill for global commerce. Read More