3.15.23 > Loren Dealy Mahler
As infosec leaders, we have a responsibility for securing our organizations, but we know that despite whatever mandate comes from the top, achieving 100% security is a pipe dream. We stress ourselves out searching for the silver bullet that will protect us from anything and everything, and we wear ourselves out searching for a new solution, a new technology, or a new vendor’s magic elixir.
Despite this unrealistic goal, we keep telling ourselves it’s our responsibility to provide answers with clear, scientific accuracy. But what if we shift our thinking and acknowledge that while those answers are valuable, the way we arrive at them is just as important.
If the journey matters as much as the destination, then part of our job is to also ask the right questions. We owe it to our teams, our organizations, and ourselves to provide the space needed to figure out the contours of each one – and to do it without abandoning our penchant for scientific accuracy.
The Drake Equation
In 1961, Frank Drake, an American astrophysicist and astrobiologist, convened the first meeting of a group of individuals interested in the search for extraterrestrial intelligence (SETI). The group included physicists, amateur astronomers, radio operators, neuroscientists, and businessmen. Their goal was to determine how to detect radio-communicative life in our galaxy.
To guide the discussion, Drake put together a breakdown of concepts that he thought should be taken into account to answer the ultimate question of how many planets might be home to life forms with whom we can communicate. These included unknown (and relatively unmeasurable) variables like how many stars in our galaxy have planets; how many of those planets can support life; what fraction of those are intelligent life forms; what fraction have developed a communicative technology; and so on. Each part was sufficiently complex as to require its own specialized expertise, technology and hypothetical approach to how it should be measured.
In debating the elements of what later became known as the Drake Equation, the original SETI participants discovered there was even more value to be found in discussing the individual concepts than in determining the actual answer. In the 60 years since, countless others have come to the same conclusion, and numerous scientific specialties have benefited from the deep dive work done into each underlying concept.
What In The Galaxy Does That Have To Do With Cybersecurity?
The Drake Equation has come to represent the idea that there is value in the process rather than solely in the result. To answer the big question, you have to work through ideas that are hard to quantify, but doing the legwork can actually result in even more progress being made than if you just emphasized the answer.
Similar to the challenge of estimating life in the universe, organizational security is a nebulous blend of hard to measure concepts – business objectives, operations, people and technology – so it’s reasonable to think we could follow a similarly methodical approach.
Instead of focusing all of our attention on the idea of how to provide a perfect, silver bullet-qualified solution, we can spend more time and attention on the underlying questions that truly make us more secure.
Business Objectives
Starting from the basic premise of how your organization sustains itself, ensures your security outcomes are aligned to what really matters. Asking a simple “What is required for us to succeed?” will point you towards the data and assets most in need of protection. As organizations grow and evolve over time, these answers can change, so it’s important to start here and ensure all are aligned before designing a program that doesn’t meet your most basic needs.
Operations
Now that you’ve outlined the “what” of your business objectives, you layer on the “how” it gets done. What is your business process from start to finish, and how does information flow throughout? Staying agnostic to the people and tools, map out the specific processes employed throughout the organization to maintain basic functionality. Look at both internal process and external touch points for interactions with customers, vendors, and external third parties. Identify the crucial operational nodes that keep things moving, and you’ll have a clearer sense of where to deploy your resources to support the business.
People
All the objectives and operational plans are only as effective as the people tasked with their execution. Who are the people involved throughout your operation, and do different people need to access different information at various points? This could include a map of work locations, roles and responsibilities, and the resulting access requirements. By reviewing personnel structures and overlaying them with the operationally necessary functions identified previously, you gain a deeper understanding of what is needed to create a secure environment for everyone to safely do their jobs.
Technology
Finally, take a look at your technology, both tools and policies. What tools are needed for these people to do this work? Things like systems and end points can be mapped, and technology use policies and security procedures evaluated against the objectives, operations, and personnel needs identified earlier. Knowing what technology is currently in use and how it’s being used, helps identify any gaps and gives you a roadmap to align your security infrastructure with what your organization needs today.
Conclusion
In our industry, we are given the simple directive to secure organizations, and our interpretation of that assignment too often gets narrowly defined as a quest for the perfect security solution. Borrowing a few decades of experience from our neighbors in the scientific world, we can reap the benefits of shifting our focus to the underlying questions rather than any specific result.
By following a Drake Equation-inspired exercise of asking the right questions and permitting the multi-layered discussions that follow, we gain valuable insight into these misleadingly simple ideas. Taking the time to deep dive into each, leaves you more aware of the what, who and how your organization relies on for success. This, inevitably, puts you in a stronger position to develop a posture that increases security and resilience for whatever may come – out of this galaxy or the next.
Loren Dealy Mahler is the CEO, Jupiter Exchange and 9+ year Cyber Security Summit Think Tank Advisory Board member.
You can connect with her on LinkedIn at Loren Dealy Mahler LinkedIn