By Tony Sager
June 11, 2021
Have we reached the point where cyber security is a business function?
Well, recent events have reminded us that a business doesn’t function without security. But our goal is not security for its own sake. Cybersecurity is not some magical end-state; it’s an essential step on the road to confidence in our business and personal decisions.
The focus of cybersecurity has traditionally been on technical things – designing and building technology that embodied desirable security properties, like confidentiality, integrity, and availability. Evidence to support “trust” and confidence would be inherent in the underlying model or design, built into the development process, and demonstrable through assertion, evidence, and rigorous proof. More recently, there’s been an equally strong focus on specialized information, like threat sharing, or “zero day” flaws in software.
Describing cybersecurity as a technology challenge, or a threat sharing problem, or perhaps even as a training, awareness, or accountability problem – these concepts are all necessary, but have never been sufficient.
For decades cyber security has been on a slow, and now accelerating, “crawl-walk-run” journey toward the mainstream of social and economic interests. While this makes some security technologists uncomfortable, it’s a natural path to making sense of the “promise and the peril” of our interconnected world. The opportunities and benefits of modern technology for social good also empower criminals with unparalled reach, leverage, and anonymity. As an FBI friend quipped many years ago, “Anyone in organized crime who is not getting into this (cyber) ought to be sued for malpractice!”
Adoption and use of technology are not driven solely by security – they are driven by things like business utility, the psychology of marketing, and economics. So the convergence of cybersecurity and business interests and decision-making is natural, and should be managed. Decision-making (and spending) about cybersecurity risk competes in the domain of overall enterprise risk, and had to answer real-life questions like: what are the problems that might really impact the business, and what are our most effective options; how does this affect the overall risk to our business or operation; how do we know we’ve spent a reasonable amount to effectively deal with this; how do we know we are getting better; how do we show others that we have done the right and responsible thing?
In today’s cyber world, these problems have become much more holistic, distributed, and dynamic. For example, in a modern supply chain, trust is a transactional idea: for a purpose, for a specific time, and under the terms of a contract, two parties may choose to exchange specific items of control and data (e.g., the status of an inventory database, which could trigger a transfer of goods direct from supplier). The business may choose to change suppliers for all sorts of reasons, and so must consider the “friction” (costs, uncertainty, etc.) of establishing trust with a new supplier. Also, given the high complexity of modern global supply chains, with potentially a massive number of dynamic dependencies, traditional “control” methods (e.g., site visits by certified assessors, periodic paper reports) to vet and verify the security worthiness of suppliers just don’t scale.
So a modern notion of trust – which is central to confidence in decision-making about risk – has to encompass everything from technology to business operations to cost-effectiveness to institutional and personal confidence. And it must also address how trust will be conveyed, shared, and kept current.
The traditional plea from the security wizards of my generation? “Management needs to care about communications/computer/information/cyber security!” OK, we made it – the barking dog finally caught the car. Now what are we all going to do about it?
Tony Sager is a Senior VP and Chief Evangelist for the Center for Internet Security. He leads the development of the CIS Critical Security Controls, a worldwide consensus project to find and support technical best practices in cybersecurity. Tony also serves as the Director of the SANS Innovation Center, a subsidiary of The SANS Institute.