Once again, after a run of high profile breaches, I’ve begun to hear cries that “leadership didn’t sufficiently support” an organization’s cybersecurity program. I’m sorry, but I just don’t buy it.
Look, the executives in any organization — especially large ones — have way more on their plates than they can ever hope to fully accomplish. They’re also invariably under huge pressure to hit various objectives for the BHAGs (Big Hairy Audacious Goals) on their to-do lists.
As a result, they have to prioritize, and effective prioritization requires effective comparisons, which in turn require effective measurements. When infosec is bringing data to leadership about the many thousands of “critical” missing patches, tens or hundreds of thousands of attacks, red/yellow/green audit findings, and fundamentally inaccurate maturity model assessment results — none of which are expressed in a context the business can understand or compare against their other metrics — it doesn’t seem to me that leadership can be held accountable.
Furthermore, I suspect if you looked at their budgets, you'd find these companies are spending a LOT of money on cybersecurity.
As long as our profession believes that:
- CVSS scores represent in any meaningful way how truly critical a missing patch is,
- Ordinal values, and especially ordinal values arrived at by doing math on other ordinal values (I'm lookin' at you, 1-thru-3 and 1-thru-5 scales) is an accurate way of measuring risk,
- Red/Yellow/Green measurements are reliable and meaningful, and
- Existing maturity models truthfully represent an organization’s risk management efficacy…
…then I’m not going blame the business executives when things go badly.
In all of my years as a CISO I never encountered an executive who didn’t care about or appropriately support infosec when I could convey it to them in terms they understood. From where I sit, the onus is on our profession to take an honest look at how we understand, measure, and communicate the challenges within our problem space.
Jack Jones is Chairman of the FAIR Institute, creator of Factor Analysis of Information Risk (FAIR), author of Measuring and Managing Information Risk: A FAIR Approach, and a former CISO in the financial services industry. Hear Jack speak at the upcoming FAIR Conference, FAIRCON19, the leading-edge gathering for security and risk professionals.
