“You will respect my authority” … is a sure fast way to be ignored in the business world!

Much like gatekeeping, excessive focus on policies, lack of engagement with the audience and generally mandating security policies and procedures that are not practical will likely not end with a robust, resilient security posture.

Business Realities

• Most organisations do not (in 2022) have a strong, resilient, and invested in cyber security posture.
• Thinking of Security and IT as “us and them” is a sure-fire way to not improve the posture
• A common mantra I’ve seen in a great many orgs is “If it isn’t broke, don’t fix it” – this is often said in orgs with high levels of quality, performance, and security debt. Often if you go and look in the event logs, performance graphs and look at the security posture, it’s largely broken yet somehow managing to “run” enough to support the business function.
• Most organisations don’t have a dedicated security budget
• Most organisations don’t have a CISO
• Most organisations don’t have a Security Operations Center (SOC)
• Having a CISO doesn’t mean you have a good security posture
• Having a SOC doesn’t mean it’s effective
• You can’t but security, you can buy tools, you can buy expertise, but you can’t simply spend money to make security appear
• Security is a cost, but it has value more than just as a management of risk function

The Business Value/Benefits of Cyber Security

Too often I think the industry and people fail to articulate the value proposition of security, it’s often highly focused on fear, uncertainty, and doubt (FUD) however I think it’s a lot simpler than that.

When we step away from vendor/marketing kool-aid we start to realise that the veneer of marketing imagery and techno babble cyber woffle (this is a technical term) that most talk either in marketing or sales pitches is the real world is a far cry from the eutopia ivory tower scenarios. This occurs with people as well, often people in “security” roles will work for large organisations, vendors and regulated industries which gives them a view which is quite far removed from what I phrase as the 90%.

Everyone has their own bias (myself included) however it’s probably not too difficult to walk around your network and hunt for a broad and general view. Hell, there’s another way as well, just go and look in the news! See how many breaches are, see how many incidents occur, see what the root causes are, most cyber incidents aren’t “highly sophisticated”.

That’s a line people say because they think that’s what they should say, it makes out that the attacks/incidents were almost unavoidable, a foe armed with 1337 skills that’s unstoppable. That’s generally almost never true, almost all incidents are avoidable, most of them are not sophisticated and largely they occur because security postures are normally weak (both at a personal and organisational level).

I thought we were going to talk about benefit. Of course, we are, however it’s important to set the scene. So, what are the benefits of a good security posture?

• Reduced business risk
• Reduced likelihood of negative impact security events
• Reduced compliance overheads
• Provides the ability to demonstrate quality, safety, and assurance to prospective and existing customers (often via 3^rd party certification/accreditation/audit)
• Reduced legal risk
• Less likelihood of brand and reputational damage

Ok so these are age old, there’s nothing new here. Well, ok so there’s probably nothing new in most things, so let’s think about this a bit more, how does a stronger security posture achieve these things?

I like to think of security as a quality & safety capability as well as a risk management one. By thinking about service quality and safety capability alongside risk management, we can start to at an abstracted level think about security in a more holistic value sense.

Thinking about Cyber As

The concept here is to think about cyber connected to the business, not disjointed from it. There’s so much “us and them” in language, terminology, concepts, and messaging, it simply doesn’t make sense to me. If you want a good security culture you need a good business culture, the two aren’t disconnected, they are highly coupled, highly connected and security (or lack of) integrated with everything, when we look at digital security (you know the cybers!) it becomes even more so connected.

Property	Value
Quality	Ensuring the business operates to a quality standard that enables its core capabilities
Reliability	Ensuring the business can operate reliability
Safety	Keeping the organisation safe from threats
Efficiency	Improved efficiency of business operations and change
Risk	Management (and hopefully therefore reduction of risk and impact)

Compare and contrast

This is all great but how does this work in practise? Well let’s look:

Property	Current State	Future State	Benefits
Quality	High levels of technical debt, system quality is low	What would you do differently?	How does this benefit the business?
Reliability	Single points of failure, slow to identify, respond and resolve incidents	What would you do differently?	How does this benefit the business?
Safety	Systems are not designed with safety in mind	What would you do differently?	How does this benefit the business?
Efficiency	Systems are inefficient to operate	What would you do differently?	How does this benefit the business?
Risk	The organisation carries a large volume of unmitigated and unmanaged risk	What would you do differently?	How does this benefit the business?

Ok so I’ve not been highly descriptive but that’s because I think it’s important for people to consider how each element affects their business and how all these things are linked.

I often see people talk about IT and Cyber Security as disjoined elements, like Security is something “IT people” are terrible at. I shudder at the possibilities for how the culture of an organisation is if that’s the team spirit demonstrated.

I wonder how customer problems and challenges are solved by an organisation when they aren’t focused on ensuring the whole is working in harmony (or at least as close to it as humans can get to) when thinking about value delivery and how security engulfs and integrates to all things.

Security is important, but it’s not the most important thing (in most scenarios!), It’s important that security is balanced, aligned to the business but also integrated into the business. Cyber security is broad and deep subject, it’s a specailist subject and practise in it’s own right yet all of this links to the wider business. Security does not exist in isolation.

Summary

Cyber security has value far beyond simply risk management from my perspective. Digital technology is pervasive in our lives and inside every organisation, if we don’t think about organisational digital health and security from a holistic point of view, we are going to continue in the tumble-dryer of poor security postures, poor internal investment decision making and a less safe society for everyone. Technology can enable us to do great things, it also has the potential for great harm, leveraging computers safely to maximise value delivery doesn’t sound like an awful approach to me… who knows, one day it might even catch on!