Acceptable Cyber Risk And How To Live With It


When they give you lined paper, write the other way

Ray Bradbury, Fahrenheit 451

In security, we have been unable to create a system that can’t be hacked, and it’s very unlikely that we can or will. We can sometimes create conditions where we know the ways something can be broken and can say this tiny thing is secure within specific boundaries, but something the size and shape of a business or even a modest IT system is never unbreakable. Yet we are often asked in security to attest that an attack seen in the media “can’t happen here.” 

There are very, very few questions, when asked in this way, to which the CISO or security person can honestly say either “we are immune” or even “it hasn’t happened here yet.” This is scary to our peers outside security, even though there’s no domain in the business that has that degree of utter certainty: it’s as true of the CIO talking about availability, the CFO talking about accounting, the CRO talking about revenue or the CMO talking about branding and lead generation. 

But in security, it’s scary because there is malice behind security failures. This fear is a clear, human fear of the unknown and of the other that is out to get us. However, our job isn’t to provide juvenile, immature assurance; it’s something else entirely.

In security, we need to have a risk conversation with the business and to be the custodians of much risk as a function within the security department (warning: there are other risk functions that aren’t security in places like Finance, Operations and Legal), especially when there is an adversary and clear malice of intent. Both sides of the CISO persona matter: the business side and the technical side. This means both freeing the risk dialog from the jargon and also driving the security department to find new ways to reduce that risk. We have to show where risk really exists in the same language as the rest of the business and help the business to accept risk and then innovate to reduce it, while optimizing spend and activity within the department.

Let’s dive into the innovation part a little.

Humans are generally creatures of habit. Some of us might have trained ourselves out of it and might revel in being disruptive to routine, but given time routine creeps in for all of us. Our brains enjoy going on auto-pilot to some degree and freeing up cycles for other challenges. This is as true at work with activities as it is at home with our children who crave routine (for the most part). At work, many of us go through the routine of our jobs, running another penetration test or doing another vulnerability triage and patch cycle, eating up the hours. Time after time.

Instead, what the keen few are able to do is automate the repetitive and remove waste from processes. We shouldn’t be going through the motions of security over-and-over again. There’s a role for silicon and a role for carbon: use systems and machines to automate and remove routine from what we do, freeing up people to tackle new risk and peek under new rocks.

Many years ago Looney Tunes and Merrie Melodies produced a cartoon of Ralph Wolf and Sam Sheepdog, who got into antics trying to respectively steal and protect a flock of sheep. Both still clock in with a timeclock every day, which casts the whole thing in a new light. It’s no longer about catching or protecting the sheep, it’s about going through the motions in a daily routine.

The onus is on us to break out of the routine and not just punch the clock in the cyber version of keystone cops. We have to live, surfing the wave of security, automating what’s behind us with systems what’s behind us (with an eye out for the Mirror Chess problems) and breaking out of the mould, out of the routine, out of the dance with our adversaries. It’s our job to innovate and to challenge how we do security and not sit still.

Proving a negative isn’t impossible, but it is much harder than proving a positive. If you claim that something exists, you only have to provide proof of it once. If you claim that something doesn’t exist, you have a lot more work to do. In security, we can’t actually say that we’re forever safe, so we have to show where risk exists in a way that others outside of security can digest, as well as present options  to reduce it. 

For the non-security business people out there, realize this tug of war exists for your security colleagues and help him or her with the conversation. Don’t trust the CISO who says “we are immune and fine” and “we have the operations down pat.” Do trust the CISO who says “here’s the risk we have” and “here’s where we’re going” and “I have a new way to reduce the risk I told you about last time.” That’s the hallmark of the CISO doing their job right, not the one who says all’s well and nothing needs changing. Improving security is everyone’s business.

Follow me on Twitter.

Sam Curry is CSO at Cybereason. He is a security visionary and thought leader and has been interviewed by dozens of journalists, has published broadly and has talked in ...