I recently chaired a panel on cyberthreats for a local business council. I had great panelists giving details on very sophisticated attacks found in the results of their company's threat reports, along with words from NIST on the security framework effort triggered by President Obama's Executive Order. Advanced persistent threats (APTs) and the Executive Order were dominating the headlines but when I opened it up for questions, most of the audience questions were not about the threats discussed, they were along the lines of "OK, that's nice -- but what solutions have you seen that worked against these things, and how do we convince management they need to fund us to do something?"
What struck me was that the audience had a very CEO-like response. While the security community continually clings to the belief that management just doesn't understand cyber threats or risk. The reality is that most CEOs have been bombarded with apocalyptic cyberthreat reports from business and mainstream media -- and from their own security teams. Most really do weigh those risks, using the same formal or informal thinking they use to judge the risk of investing in a new product, or doing a merger or acquisition. The real leaps forward in business are not made by convincing management about threats or risk, they are made by showing them solutions to the problems that are less disruptive and less expensive to the business than doing nothing.
Don't worry, I'm not going to head down the "return on investment" rat-hole. If you look at the reality of how CEOs or venture capitalists make investment decisions, you find that most of them realize ROI or future sales/revenue projections are about as accurate as weather forecasts -- slightly better than flipping a coin. Successful business leaders usually make their decisions based on the quality and track record of the team that will run the business, and their judgment on opportunity costs -- if I spend the money here, how will that disrupt my business by depriving funding from some other area of business or investment.
That captures where we are today in security; we don't need to keep flogging the threat, we need to be able to demonstrate solutions that work, that don't disrupt the business, and don't simply propose to keep smashing into the same walls, just wearing more padding in the future. To a CEO, slowing down business so it hurts less when bad things happen is riskier than doing nothing. What is needed from security is less "It hurts when we do this" and more "Instead of doing this, we are going to do that."
BYOD solutions that propose "back to the mainframe" approaches like making users use dumb terminal apps or total lockdown on their smartphones or tablets.
The US Government trying to force government employees to use Smart Cards (remember those?) for authentication on mobile devices
Continuing to give users and admins full ability to load any executable, even though 99 percent of what they need can be found on widely available whitelists.
Allowing web apps to continue to include command injection vulnerabilities even though 99 percent of them could be easily found and fixed during final QA.
All of those examples have success stories out there, where CISOs have lead or supported the development of solutions that met business demand to use personally owned devices without increasing risk, or decreased vulnerabilities in software, or quickly detected advanced targeted attacks in time to prevent business impact -- all without having to go to management for new funding or impacting business processes. Those CISO's focused on change -- doing something differently and better to improve security without having to restrain business or waiting for management to "understand the threat."
In the case study research notes I did over my 13 years at Gartner, and the "What Works" equivalents I've done since joining SANS, I've yet to see a risk management or ROI argument that was the catalyst for leaps forward in security. In fact, most of those leaps were made by security managers who didnt even have to obtain new funds to get started. They tried new approaches to intrusion prevention, penetration testing, application security, BYOD, desktop security, etc. that started with replacing the old way with a new way, demonstrated how they solved a problem -- and then were easily able to obtain funding (or reprogram existing funds) for full scale roll-out.
I'll leave you with my version of Aesop's Fable "The Ant and the Grasshopper":
The security ant was busy replacing old firewalls and IPS with advanced threat detection, checking web code for vulnerabilities before deploying and deploying whitelisting on all servers to prevent malware. The security grasshopper was busy singing the "Song o' Threats" and creating risk dashboards that he was sure would cause the Board of Directors to finally get it, and laughed at the toiling ant -- until the attack hit that stole all the wheat the grasshopper had planned to eat later. The ant's firm survived the attack, made it through the winter and into a very prosperous spring. The grasshopper had to call in expensive incident response and public relations consultants, notify thousands of customer their personal information had been exposed and was spent all spring staring at compliance reports.
Moral of the story: Be a industrious security ant, not a singing security grasshopper.
John Pescatore joined SANS in January 2013 after over 13 years as Gartner's leading security analyst. He previously worked at Entrust, Trusted Information Systems, GTE, the US Secret Service and the National Security Agency.