Author: Aaron Pritz, CEO, Co-Founder – Reveal Risk
Sales people every where just clicked on this article dreaming and scheming about getting their product into the field of 64. They each believe they have a bespoke Cinderella story to get down to the Sweet 16, the Elite 8, or even the Final Four of cyber tool providers.
Unfortunately, this article will not announce such a contest. <Insert Sad Trombone Sound Effect>
This article is for all the people….
….. the process……
………….. and yes, even the technology
decisions, projects, and controls that go into the most well rounded, mature programs.
With so much to do, how do you pick the winners and losers?
How can IS teams use “bracketology” concepts to focus your efforts, pick more winning projects, and reduce more risk. Let’s get down to it.
First, most of us in cyber would LOVE to start with a field of 64 things. Wow! Only 64 things to do. What a dream world! Instead, information security teams can face “things that you could do” more like an international regular season of all the sports, teams, and contests of every country in the world. This is not manageable!
Perhaps those that are reading this that are not directly involved in the cyber field may not understand, but I always say that there are a million and one things you could do in cybersecurity to reduce risk. Even if you do a million of them, you can still suffer a cyber attack the next day. There is no such thing as absolute or 100% protection.
A few years ago, the Standish Group Chaos Report found that only 29 percent of IT project implementations are successful, and 19 percent are considered utter failures. This Standish Group finding isn’t incidental, either. Research from McKinsey found that 17 percent of large IT projects go so badly, they threaten the very existence of the company. These same statistics often ripple (or even become exacerbated) into the cybersecurity program execution landscape.
If you had to pick a Final Four in your cyber program, could you? Are you risk prioritized or are you playing an endless game of technical whack-a-mole? Vulnerable assets, integration of acquisitions and faculties, and adoption and scaling of security tools across the IT organization could fill 100% of a reasonably sized IT security team.
Next, what divisions are in your league? Hopefully people, process and technology are your 3 divisions and they are appropriate balanced (e.g. not a dominant technology division with failing people and process: but I too often see this being the case)
Why? PEOPLE: Attackers prey on humans because they are the weakest link. Over ~90% of security incidents start with a phish (note: no longer limited to email phishing) because that is the easiest and most efficient tactic. So equipping humans with a defensive mindset is critical. Beyond that, does your people division even know what plays they are running? Do they know what sensitive Crown Jewels they handle? Do they know how to handle them according to their sensitivity? Do they know how to report concerns and get questions answered?
Process: technology and human defensive assets are only as good as the processes and understanding of processes that are in place. Technology needs to be scaled across divisions, applications, and other IT assets. Also, human processes need to be in place to operate key controls. Processes can make things understandable, efficient, and effective (unless said processes are non-existent, broken, or confusing – which would mean they haven’t been cared for.) This is like the “fundamentals”. Do your people (IT, IS, and business) know where they need to be on the court and what plays they are supposed to be executing? Can they consistently and effectively run these plays?
Technology: there is a vast landscape (ocean) of tools and tool providers. There are some really great things out there. There are also some options that should never make the tournament, but their persistent sales teams will try to convince you that they are a big time Cinderella story.
So, if we all have endless options and combinations of investments in people, process, and technology controls, how the heck can leaders define a prioritized path forward? It comes down to any number of risk/outcome based prioritization methods in defining the highest value (risk reduction) efforts prioritized by protecting the assets most important to your business and related operations. Protect what’s most important first, and then expand your aperture after you have that under control.
That may be easier said than done. This approach takes getting really close to the business your company is in and understanding the daily focus of every division, it may feel like 2-a-day practices in a gym. Let’s break down the stats on why a balanced team focus is imperative:
In basketball tournaments, you have:
- Offense (3pt shooting, field goal %, etc)
- Defense (opp. points per game or ppg; opp shooting %, block shots/steals)
- Luck or better yet, Determination/Perseverance/Grit
- Offensive and defensive plays can be drawn up using a number of different strategies. Is your defense playing man-to-man or a zone? Are you pushing high tempo offensive plays or slowing the pace, moving the ball around, or maybe running a “weave”?
In cyber, we as discussed earlier, we have plays that can be run across:
However, picking too many “plays” or doing so in a random or volatile way can make your movements weak, cause distractions, and your fatigue your team so that they may be unable to continuously perform.
A good coach will apply concepts of risk management, ideally drawing insights from:
- The threat landscape (what should I be most nervous about getting hurt by?)
- The maturity and controls landscape (where are my most significant gaps and areas that could most lead to potential compromise, across people, process and technology)
- Lastly, and most importantly in my book, but often overlooked, is to understand your most significant potential business risks that could be exploited via a security compromise (where could the opposing team hurt us most, regardless of how they accomplish it?)
So let’s assume your organization has figured out how to operationalize the sorcery often referred to as information classification / crown jewel evaluation. If you have achieved this your organization has the chance of knowing what game you are playing. Now you know the sensitivity of the information your employees handle every day, and how to secure it appropriately based on it’s sensitivity
With this information you can hyper focus your efforts on what matters most to the business you are in. After all, why would you be working on B, C, or D priorities if you haven’t finished the A’s?
Even if you make the tournament, it is important to not get cocky! There are 63 other priorities trying to confuse you on who the future cyber effort winners could be. This translates to the fact that even if you are working top priority projects on top priority business assets, there still may be too many things. How do you deal with this?
You need to effectively narrow the playing field down to something that can be achieved by your team based upon:
- number of resources
- abilities / capabilities of your workforce
You can eliminate contenders with a number of tools / games:
- benefit / effort analysis: plotting projects by their complexity/effort against the inherent risk reduction they would bring – and choosing the high benefit, low effort first
- stack ranking projects based upon immediacy of need (building blocks or high rapid risk reductions) against available team capacity and the risk tolerance of the business (how much are we willing to accept the risk of not doing?)
- Playing “64 pickup” and throwing all the cards into the air and randomly picking them up and working them sequentially. (Note: I see this option more than I would like to report. I also would strongly not recommend it!)
The process to achieve the above decisions and prioritization of activities is essentially the essence of information security risk management. Ultimately managing risk requires you to understand the areas and information types of the business that are most important, prioritize the threats that could compromise your business most significantly, and understanding the maturity of your program and how to get it where you need it to be.
At Reveal Risk, we have a fantastic and diverse team of tenured corporate cybersecurity leaders, attorneys, six sigma Black Belt, and military veterans that come together to help you understand your business risk and how to focus on protecting the right things, with the right people, process, and technology investments. We can help you understand what you need to do because we have served in the role you are in. We want to help you maximize your “shots on goal” to reduce cyber risk because no company had unlimited time and resources.
We can help you have the most success regardless of the size of your team, the limits of your budget, or the maturity of your current information security program. It all starts with prioritization and focus, and we would love to help you reveal your risk.
At Reveal Risk, we evaluate, design and deliver strong processes and results in cyber, privacy, risk that work efficiently, are fit-for-purpose, and are sustained. If you find that you want assistance in building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to connect with us at email@example.com.
About the Author
Aaron Pritz is senior IT/Security/Privacy/Risk leader with over 20 years of experience including at a large pharmaceutical company in the Midwest. Aaron co-founded Reveal Risk in 2018 after seeing significant corporate leadership and “execution of strategy-to-operations” capability gaps in the cyber security and privacy consulting industry. Aaron is a creative thinking strategist that brings strategies to life through engaging approaches and teamwork. He is an active industry influencer and speaker on the topics of business-driven risk management, insider theft, and cyber security in healthcare, and is no stranger to helping companies progress both before and after incidents/breaches (ideally the former!).