Avoid becoming the infosec scapegoat.

When a cyber breach strikes, it’s common for fingers to point at the security team. Security, after all, maintains oversight responsibility for the entirety of an organization’s data and systems protection. When something goes awry—especially if it’s a reportable incident that carries monetary fines and other penalties—it is understandable that there are calls for the “responsible party” to be held accountable.

As with many other types of incidents, however, identifying “responsible” can be a tricky task. Individual priorities, funding, timing, conflicts of interest, chain reactions, and more can all affect the outcomes of a situation. This is not to say, though, that security organizations may shirk duties and attempt to deflect blame when the company experiences a security incident. Rather, security must consider the deluge of breaches and subsequent firing fallouts a call to arms—not only to buff up on security controls and processes, but to work even more closely with business partners to ensure others understand the complexities of securing an organization and learn where and how outside influences impact the efficacy of the security program. It’s when the intricacies of running a security program aren’t properly communicated that CISOs and their teams become scapegoats.

Below are some steps security teams can take to ensure the broader organization has a better understanding of the security program, lessening the chances that any one person will bear absolute blame in the face of a cyber incident.

Understand your risk

Cybersecurity is shades of grey; there is no such thing as perfect security and any organization aiming for “perfect” is misguided. Instead, security teams must understand that security is a risk management function which feeds into overarching business strategies. And all business strategies take into account risk factors.

The risk of an intrusion, loss of data, system disruption or unavailability, etc. can and should be measured. “We blocked X number of malware” is not a complete picture of how well the security organization is doing (or not), and certainly doesn’t help the business determine its cyber risk. Before your security team can communicate risk, though, you first need to understand where and what that is. This starts with truly gaining a firm grasp on the company’s environment, which includes assessing:

  • Technology infrastructure and architecture (e.g., assets, configurations, patch levels, 3rd party integrations)
  • Human resources (e.g., number of FTEs or outsourced partners, skills/capabilities)
  • Baselines (through monitoring), and tracking and adjusting baselines then alerting and investigating abnormalities.
  • External and internal factors (e.g., known CVEs, hardware/software/human/supply chain vulnerabilities, likely adversary TTPs, known exploits)
  • Ability to resolve issues

Cybersecurity is shades of grey; there is no such thing as perfect security and any organization aiming for “perfect” is misguided. #InfoSecInsider #infosec Click to Tweet

Once you understand your risk, you can then go about remediating vulnerabilities or working with the business when remediation efforts will be affected by overriding business decisions (e.g., when patching will break another technology, when new software is released without a proper security check). The most important thing to keep in mind here is that security will not always get its way. The business may not always want or be able to follow security’s advice. (N.B., this phenomenon is not exclusive to security teams. You are not alone.) The key, however, is being confident and accurate in your communications about risk, i.e., what could happen and the likelihood of that happening.

A CEO may say, “no” even if the security team deems a risk high, but ultimately the security team is responsible for understanding and communicating cyber risk to appropriate parties. Remember, everyone in your organization has a different idea of what a priority is. Your job as the security practitioner (and in efforts towards self-preservation) is to be clear about the state of the state.

Don’t rely on FUD

Understanding the risk of a breach, disruption, or other cyber incident is step one, but as stated above, it is imperative that security teams communicate risks appropriately. As the saying goes, the first step is acceptance, which means for security: acknowledge that the business is not particularly interested in the technical details of running a security program.

While cybersecurity has become vernacular, very, very few people outside the security community want to discuss log reviews or how turning off port 80 will disable http:// requests (though they may be very interested in their newfound inability to view cat photos online). Instead of trying to convert your business colleagues, speak in the language of the business—risk—and tie “what can happen if” to things like productivity, added costs, revenue generation/loss, and growth. Whatever you do, though, don’t resort to old tactics of spreading fear, uncertainty, and doubt, a.k.a., FUD.

Because there are so many unknowns in security, it’s easy to fall into the trap of providing murky responses and predictions. This is precisely why understanding risk is of utmost importance—then being able to put that risk into quantifiable terms. “But that’s impossible!” you might be thinking. Risk professionals have been quantifying unknowns for longer than “cyber” was a thing, so it can be done; you just need to learn how.

If your company employs risk professionals, ask to work alongside them. If not, talk to your finance team. Learn common cybersecurity risk frameworks like those from NIST, US-CERT, or the FAIR Institute and apply principles to your security operations. Security shouldn’t be just a bunch of guesswork, and approaching it as such is one surefire way to become the security scapegoat when an incident occurs. If risk has been identified and appropriately communicated, there will be fewer surprises.

This doesn’t mean, though, that security teams can find the organization’s risk, report, “We have identified that were 98.2% likely to have a breach and it will cost us $1,000,000 million,” and expect everything to be OK. Security teams must work hard and smart to continually remediate risk—that’s the job—but it’s important to be clear and accurate in your communications while you’re working towards an improved security posture.

Notably, headline news stories make it sound like all adversaries are unstoppable. It is your job as the security expert to undo that damage and paint a realistic picture for your organization while working towards a better tomorrow. Be descriptive in what security can affect and how the business can help. Because security often relies on the compliance of non-security personnel, requests of others should clear, instructive, and (most importantly) positively productive.

A greener field

It’s often said that security is an industry in which the absence of activity is a positive. While this is true as it relates to cyber attacks, behind the scenes every security organization should be busily working to fortify defenses and certify that business colleagues and customers don’t equate cybersecurity to “smoke and mirrors.” The only way to ensure this outcome is to develop a program that identifies and accurately conveys its own risk—in terms others can use—to the people who need to know the business’ strengths, weaknesses, opportunities, and threats in order to run a profitable, successful company.

Learn how to effectively identify and defend against threats to your organization at MISTI's Threat Intelligence Summit, Monday, July 23, 2018 in San Diego.

 Rob Potter