Last year at Black Hat Europe I sat down with one of our lead security analysts, Paul Stringfellow. In this part of our interview (part one can be found here), we discuss balancing cost and efficiency and aligning the security culture across the organization.
John: So, Paul, in an environment with problems everywhere and you have to fix everything, we have to move on. In the new architectures we have now, we need to think smarter about our overall risk. This is related to cost management and service management – the ability to assess our architecture for real risk and exposure from a business perspective.
So I’m kind of thinking I need to buy a tool for that because I think to get over 50 tools I need a clear view of our security posture first. Then we can decide which of the instruments to actually react to this position, as we will have a clearer idea of how we are exposed.
Paul: Buying a tool goes back to the hopes and dreams of salespeople – that one tool fixes everything. But I think the reality is that it’s a mix of understanding what metrics are important. Understanding the information we’ve collected, what’s important, and balancing that against technology risk and business impact. You already made a great point: if something is at risk but the impact is minimal, we have limited budgets to work with. So where do we spend? You want the most bang for your buck.
So it’s about understanding the risk to the business. We have identified the risk from a technology perspective, but how significant is it to the business? And is it a priority? Once we prioritize the risks, we can figure out how to address them. There’s a lot to unpack for what you’re asking. For me, it’s about doing that initial work to understand where our security controls are and where our risks are. What do we really care about as an organization? Get back to the metrics that matter – cutting through the noise and identifying the metrics that help us make decisions. Then see if we measure these metrics. From there we will assess the risks and put the right controls in place to mitigate them. We do location management work. Do the tools we have in place respond to this attitude? That’s just the internal side of things, but there’s also the external risk, which is a whole different conversation, but it’s the same process.
So when we look at the tools that we have, how effective are they in mitigating the risks that we’ve identified? There are many risk management frameworks out there, so you can probably find a suitable tool like NIST or something else. Find a framework that works for you and use it to evaluate how your tools manage risk. If there is a gap, look for a tool to fill that gap.
John: And I thought about the framework because it basically says there are six areas that need to be addressed, and maybe a seventh could be important to your organization. But at least have six areas as a check box: Am I dealing with risk response? Am I dealing with the right things? It gives you, not a Pareto view, but it’s about diminishing returns – cover the easiest thing first. Don’t try to fix everything until you’ve solved the most common problems. That’s what people are trying to do right now.
Paul: Yeah, I mean – let me quote another podcast that I do where we do “technical stuff”. Yeah, who knew? I thought I’d plug it in. But if you think about the takeaways from this conversation, I mean, you know, back to your question — what should I be considering as an organization? I think the starting point is probably to take a step back. Do I take a step back as a business, as the head of IT in this business, to really understand what risk looks like? What does business risk look like and what should be prioritized? We must then assess whether we are able to measure our effectiveness against this risk. We get a lot of metrics and a lot of tools. Do these tools help us effectively avoid the risks we consider important to the business? Once we have answered these two questions, we can look at our attitude. Are the tools available to give us the control we need to deal with the threats we face? The context is huge.
John: In this context, it reminds me of how organizations such as Facebook have had a relatively high tolerance for business risk, especially when it comes to customer data. Growth was everything—only growth at any cost. So they were prepared to manage the risks to achieve it. Ultimately, it boils down to assessing and taking those risks. At that point it is no longer a technical interview.
Paul: Exactly. It’s probably never just a technical conversation. In order to deliver projects that address risk and security, they should never be driven by purely technical means. It affects the functioning of the company and the daily work procedures. No security project will succeed unless everyone understands why you’re doing it. You get too much pushback from older people who say, “You’re just getting in the way. Stop.” You can’t be a department that just gets in the way. But you need a culture throughout the company that safety is important. If we don’t make security a priority, all the hard work everyone is doing could be undone because we haven’t done the groundwork to make sure there aren’t vulnerabilities waiting to be exploited.
John: I just think about the number of conversations I’ve had with salespeople about how to sell security products. You sold it, but then nothing gets deployed because everyone else is trying to block it – they didn’t like it. The reality is that a company needs to work towards something and get everything aligned in order to deliver.
Paul: One thing I’ve noticed in over 30 years in this job is how salespeople often struggle to explain why they might be valuable to the business. Our COO, Howard Holton, is a big believer in this argument – that salespeople are terrible at telling people what they actually do and where the business benefit is. But one thing he told me yesterday was about their attitude. One rep I know works for a vendor that offers an orchestration and automation tool, but when he starts a meeting, the first thing he does is ask why the automation didn’t work for the customer. He takes the time to understand where their automation problems are before presenting his solution. If only more of us—salespeople and others—would first ask, “What isn’t working for you?” maybe we’d get better at finding things that will work.
John: So we have two tips for end users – focus on risk management and simplify and refine security metrics. And it’s important for salespeople to understand the customer’s challenges before they design a solution. By listening to customers’ problems and needs, salespeople can provide relevant and effective solutions rather than just selling their aspirations. Thanks, Paul!
The post Making Sense of Cybersecurity – Part 2: Delivering a cost-effective response appeared first on Gigaom.