Shifting the Focus of the Cybersecurity Discussion
First, if you have not yet read Joel Brenner’s report, “Keeping America Safe: Toward More Secure Networks for Critical Sectors,” written for the MIT Center for International Studies and the MIT Internet Policy Research Initiative, then you should open another tab right now and go do that. Don’t worry. We’ll wait. The report is not so interesting for breaking new ground, but rather for shifting the focus of the cybersecurity conversation in a couple of ways. It also says aloud something many security pros fear to say even to each other: we don’t really know how to measure risk in cybersecurity. If you can’t measure risk, then you can’t really calculate reward. That failure to understand risk comes largely from the lack of visibility we have into some of the most basic parts of the people, process, technology, and environment where our systems operate.
Brenner’s report immediately sets a tone most do not. It recognizes that too often the security person in the room is the “no man” or the one who is yelling at everyone. So this report looks to make constructive suggestions about policy at the highest levels that he feels would alter the fundamental conditions of security work in every organization. Now, we could spend a lot of time at a bar arguing about how many, if any, of the suggestions spelled out would be effective. However, the tone of being constructive and prescriptive is very welcome regardless. If all the security pros in the US were to adopt this change in tone immediately, the whole industry might experience a move up in effectiveness overnight. Goodness knows I’ve been the “eat right and exercise” nagger in too many meetings myself.
The recognition that we do not have the tools to see things clearly enough to quantify risk is also a breath of fresh air. In the Second Challenge of eight, the report clearly lays out how our collective understanding and conversation about cyber-risk is lacking:
Quantifying risk in either absolute or relative terms is a difficult challenge that impedes cybersecurity investment in all sectors examined except certain financial institutions. The asserted inability to measure the rate of return on cybersecurity investment is a closely related problem that affects overall investment levels and makes it difficult to target investment. Fragility of systems is a salient aspect of risk that concerned participants in all sectors. Absent assurances of confidentiality, candid participation by the private sector will not occur. However, the public should be informed of the general state of security of critical infrastructure.
There is only one thing I would modify in this statement. The focus here is on inter-organizational conversations. I believe even intra-organizational conversations suffer from this. Our collective lack of ability to quantify risk inside our organizations isn’t something we say enough even to our colleagues. But everyone knows it. Everyone knows the first step to a solution is admitting there is a problem. This report points to the problem clearly and lays it out thoroughly. One can only hope it can start the conversation we need to have about cyber-risk, security, and the ways we can dig into our systems to expose everything needed – within our own organizations and to others outside as well – in order to define, quantify, and then make steps to truly control our risks.