There was a really interesting point in a Cisco survey I read over the last few days that was talking about the overall confidence levels of security leaders regarding their ability to keep their organizations safe. And, actually, it’s something I’ve also seen come up pretty regularly when I talk to security leaders, architects and other security professionals. I’ve just never kept track of the numbers. Fortunately, Cisco did.
Now, of course, being Cisco, they’re ultimately pushing something I’m not—which is filling in the expertise gap in your security team with more blinking lights and automation. Sure, automation’s great…
…if you know where to put it.
However, given that 94% of the people in this surveyed believed they’d yet to crack the code on building an effective security, it’s probably no surprise that most of those same people didn’t believe they can afford the security they need.
Because, let’s face it, if you don’t know whether you’re dealing with mice or tigers, then you have no idea how big of a net you’re gonna need—but you wanna make damn sure it’s more than big enough. And speaking of mice and tigers reminds me of that famous George Box you might’ve seen me mention before:
“Since all models are wrong, the scientist must be alert to what is importantly wrong. It is inappropriate to be concerned about mice when there are tigers abroad.”
Now, we’re not scientists, but I am talking about models. In particular, I’m talking about the mental models that many people are using to plan the way their security program spends its time…and its money. Because it’s these models – and, most specifically, the assumptions behind them – that are what keep us painting stripes on the little critters with the beady eyes, the twitching whiskers and the long, skinny tails…
…when we should be looking for the real tigers around us, set to devour all of our money and our time when we think we’re doing everything we can to keep our organizations safe. Because, what the bad guys don’t really want us to know is that all those threats, and all those vulnerabilities, and all those technology toys…
…ya see, they’re the mice.
And yet, that’s where we spend the majority of our time, effort and energy. We’re constantly trying to beat them all into some kind of submission, and we’re ignoring those things that’ll make us truly effective.
Maybe you think I’ve lost my mind, and that’s totally ok. I can live with that—especially if it makes you stop and think for a minute how much of your time you spend on day-to-day operational mole whacking, playing a game you’re never going to win because there’s no way we’re ever going to have the resources of a million different teams of bad guys—even if we’re at the very top of Fortune’s annual list.
But, to me at least, those tigers we’re ignoring are the ones that should be the next pins on the map of our own journey to building an effective security program from wherever we are, right now. They’re the boring, totally un-sexy stuff like…
…understanding the organization’s we’re supposed to protect, and I mean deeply, not at just some superficial level…
…being able to prioritize and effectively assess the real, relevant and prioritized threats facing our organization, strategically and based on our deep knowledge of the business, rather than just based on whatever happens to be this year’s order in the Verizon DBIR.
…and creating a set of security policies that we don’t have to fight every day to enforce, because they’re aligned and enable the flow of the organization, not snarling the river with the blockade of a beaver dam they think we erected in the dead of night, sneaking around behind their back, just to annoy the hell outta them and enjoy our little power trip.
Of course, that’s not how we see it. We see it as doing the best we can to keep the organization safe in an environment where our security “customers” couldn’t even double-click a VPN sitting in the middle of Moscow airport, right next to the GRU gin joint.
But what we see only matters in our little corner of the world, because, let’s face it, they outnumber us, and, at the end of the day, that’s the end of the business that prints the money…
…and we’re far too often seen as only the end that spends it.
One of the levers the Cisco study lists as a way to solve this problem is credibility, but they only take the outward-facing view. Because being able to build credibility and influence downstream, with the vendors and suppliers we choose to bring into our organization mostly just takes tacking a few 0’s on the end of the invoices we approve. Spend enough, and we’re certainly going to get whispered sweet nothings about pre-public vulnerabilities.
But the kind of credibility that makes the most difference to the success of the security program faces 180º in the opposite direction. It’s the internal credibility we have with our security stakeholders. The credibility that builds trust instead of suspicion. The credibility that builds rapport instead of animosity.
You’re gonna think I’ve gone all cute-n-fuzzy bunny on you, but it actually starts with convincing our customers that we care.
No, I’m not talking about asking them out to the prom. I’m talking about making them believe that we care about what they’re trying to accomplish.
That’s the kind of sentiment that builds credibility, and that’s one of the first of the real tigers we have to tame. Because, until we do, we’re never going to be able to get out in front of the bad guys and focus on what really matters.
And that’s exactly what they want. Because if we’re worried about the mice, then their job becomes oh-so-much easier.
We can do this—if we focus on the real tigers. And, the best part is, it doesn’t take a whole lot more money…or time…or commitment.
Those – whatever we have right now at our disposal – all just need to be pointed in the right direction, and we need to make sure we have the real skills we need to build, nurture and grow that credibility and trust with the business…with IT…with the Executive Team…and with the Board. Because those are our real security customers.
How are you engaging with them today? How well do *they* believe they’re being supported by you? Where are you spending the majority of your security time, energy and budget?
And how do all those answers fit together?
If you’re struggling to make them align, then you’re not alone. There’s a whole bunch of organizations out there facing the same challenges—and, among those, there’s a few that I’ve worked with to help them overcome them. Doesn’t mean I can help you. But then again, it doesn’t mean I can’t either.
Only one way to find out for sure, and that’s buy clicking this link and booking a time where we can talk about your own challenges, today, and which of those real tigers are snarling at you the loudest:
Andrew S. Townley
Archistry Chief Executive