Yada, yada, yada…AI…big data…security tools…ever increasing threats…AI for good and evil…keeping ahead of the bad guys…yada, yada, yada. That’s a pretty good summary of the security “news” I get in my inbox most days, but on this particular day, I was told that “advanced, AI-based security tools are the only way to plan your defense when the cyber-threats are nebulous.”
And, given the whole load of people locked in small apartments, the lure of some “beachfront” property in the Florida Everglades seems like a good deal, right? Oh, and the ‘gators? Shoot. They’re just like dogs. They’re just coming to say hello, never mind chew your leg off. Stuff like that only happens in horror movies—and, well, the occasional newspaper.
I find this whole notion of “nebulous cyber threats” pretty amusing—especially since I’ve spent the last couple of weeks planning and writing the upcoming May issue of the Security Sanity™ newsletter all about how to deal with making pretty potent plans for your cybersecurity defense…
…but with nary a mention of “AI” or “security automation” on any of its pages.
How is this possible, you might ask? All those new threats. All those new exploits? Surely, it’s too much for a human brain to deal with—I mean, just look how exhausted and stressed-out my SOC team is. See?
I believe there are some scientifically precise terms I can use in response to this, but one of the ones that suddenly just popped into my head was:
Now, my classification of the above premise as “senseless talk” doesn’t deny the obvious facts that, yes, SOC teams and front-line security professionals are overwhelmed. Yes, they’re dropping like flies in some cases—especially with the uncertainty and dread of living through a “work”-from-home, “teach”-from-home new normal giving them an extra kick in the teeth each day right now.
And the reason for this sorry state of affairs isn’t the fault of the “bad guys.” It’s ours.
However, as I’ve said before, our job as security is actually pretty simple at the fundamental level: draw a box, understand what’s inside it and the value they provide to things outside the box, and then make sure we manage the access and use of what’s inside by those outside.
Of course, it’s simpler to say than it is to do, because the trick is in drawing the right boxes, identifying the right value, and then prioritizing and classifying all the ways the things inside deliver that value so we know what “access” we’re trying to control.
From this elemental operation, we can then go forth to deliver value that protects and enables a number of higher-level concepts like profitability, safety, compliance, reputation and any other form of value we’d care to build from those lower-level constructs.
The thing is, everything looks hard – or even impossible – until you know how to do it. Once you do, it’s pretty easy to forget there was a time when the task wasn’t “obvious” to you fairly quickly.
Such is the skill of building a risk-based, business-driven security architecture and using it as the foundation of your security program. In some circles, you might as well be talking about hippogriffs, unicorns, leprechauns and other magical and mystical beasts, because the belief that such a thing is not only possible…
…but can be relatively straightforward – if you have a reliable and repeatable system – is 10,000 shades beyond the pale.
Which is why we have crazy-arsed assertions that “only super AI defense mechanisms” can deal with an ever-more ambiguous cyber threat.
If you understand what you have, you know what it’s worth, and you understand how it delivers value, then you should damn-well know the majority of ways it can all disappear in a fiery ball of BOOM.
And once you do, it’s about making some informed decisions based on investment vs. return against the overall priorities of the organization you’re trying to protect.
But to do this, you need to have a pretty robust and reliable method for finding all of the ways things go off the rails. That’s what a risk assessment is for, and far too often, there’s a lot more magic than method involved in most of them. And sure, you can go down the FAIR or OCTAVE or ISO31000 or whatever method…
…but you don’t have to.
Because the majority of the success you’re ever going to have doing a risk assessment for information and cyber security comes from understanding the worlds in which your customers actually operate (which is Principle #2 of The Agile Security System for those playing along at home).
It’s time to dispel the mysticism of the risk assessment, establish agreed definitions for qualitative terms and be able to easily and quickly evolve and align both qualitative and quantitive risk assessments any way they need to go.
Oh, and you should also be able to do it defensibly—whether you’re doing it in 10 minutes on a quick conference call or you spend 10 or more days doing detailed modeling and analysis.
At the heart, it should all be the same.
And, more importantly, from an operational perspective—how you arrived at the assessment shouldn’t make any difference, because it’s only the starting point. You’re augmenting and enhancing that initial assessment based on regular operational intelligence about the internal and external world—whether it’s with a pen and a piece of paper or a full-blown operational dashboard.
Of course, this is the ultimate promise of a SABSA security architecture. And, yes, it’s not only possible, there are practical ways to do it—without taking months and months of slogging through mountains of documentation and endless meetings.
It’s just most people don’t know how—and they don’t know how everything fits together as a system…a system for actively managing information, cyber and even operational risk. Because that’s what SABSA’s for.
It’s also what the upcoming May issue of the print Security Sanity™ newsletter is for, because it goes through where you head needs to be to be effective at performing risk assessments—without complex tooling, without getting lost…
…and without gee-whiz, AI-based, Riskenator-9000s.
And to do it even in the face of, gasp, nebulous cyber threats.
But if you want it, you’d better make a decision, because in just under a day and a half from when I write this, the deadline to subscribe will be more nebulous than the promises of a gaggle of AI-enhanced security control vendors.
It’s neigh-on time to make a choice if you haven’t already. If you have – either to become a subscriber or not – that’s most excellent. What isn’t excellent is letting the clock make the decision for you.
Here’s the link you’ll need if you decide to subscribe:
Andrew S. Townley
Archistry Chief Executive