A business network can’t be made completely secure. Business Technology’s resident U.S. blogger Keil Hubert argues that this disturbing truth is why companies need to implement a formal risk acceptance policy – so that decision makers are compelled to consult with the cyber security team.
Answer me honestly: is your company’s critical information ‘secure’? Take a moment and really think about it. Please take the broadest possible perspective. Consider all of the things that you do (and don’t do) in order to keep your critical information protected from unauthorized disclosure, safe from unauthorized deletion or modification, and available on-demand. When all is said and done, is your critical information – right this minute – secure?
The only answer to this question is ‘no.’ There are no other honest answers, and anyone who says otherwise is almost certainly trying to sell you something. [1]
It’s been my experience that people really hate hearing that fact get stated – executives especially. I’ve driven God-only-knows how many Top Men incandescent with rage by telling them that simple, undeniable fact: that their critical information is not secure, and that I can’t ‘make’ it secure. I can (and will) do everything appropriate in my power as a cyber security expert to make our critical information as secure as possible, but I cannot achieve absolute security because I am not an omnipotent space wizard. To claim that I could somehow achieve absolute security would make me a damned liar, and also a liability to the company that I’m expected to serve.
I don’t mean to go epistemological on you with this week’s column, but I feel strongly that this is a critical concept that has to be regularly reiterated because it’s inherently offensive and unsettling to most of the folks who don’t work in the cyber security field. This is a core concept driving what we do and why we do it. We want our systems and networks to be impregnable. Wewant to be confident that our critical data is (and will remain) unsullied by hackers. We want to be confident that all of our defences work perfectly, all of the time, and that we can therefore sleep worry-free each night.
We want a lot of things. The CEO wants a perfectly secure network. I want a goram unicorn. Neither of those wants is going to be realized because of intrinsic shortfalls in our material universe. The closest that a CEO can get is to preside over a reasonably well-defended network, proportional to the extent that she resourced the department and agreed to enforce policy. The closest that I’ll get to owning a unicorn is to buy a plastic one to perch on my monitor while I protect the network. [2]
It always surprises me how some people will grow violently offended by this statement of fact. [3] I’ve seen grown men grow murderously angry after I’d refused to lie and tell them that their network could be made perfectly secure. Speaking the hard truths has (I freely admit) been a career-limiting move for me in some contexts. It was, however, the truth. As a degree’d, certified, and experienced professional, I believe strongly that I have a moral, ethical, and functional obligation to report honestly about the state of the programs and systems that I’m responsible for to my superiors and stakeholders. I consider lying about security to be an abhorrent abandonment of our obligations.
Some people just don’t see it the way that I do, and sparks inevitably fly. As an example, let’s consider the curious case of a treasured executive – as always, ‘Bob’ [4] – who blasted me during a meeting of the company’s top leaders when I told him that his network could not be made ‘perfectly’ secure. ‘You have to secure our network,’ he snarled, ‘That’s what we pay you for.’
I politely reminded Bob that he doesn’t pay his doctor to make him immortal; he pays her to keep him as healthy as possible for as long as possible, taking into account how much he’s willing to pay (in time, treasure, and self-denial) to pursue his quality and quantity of life goals. It would be churlish and juvenile to demand that she produce divinity-grade results for him when she only has mortal instruments and too, too sullied flesh to work with.
So it goes with cyber security: we do the best that we can with what we have, taking into account the threat environment, our defensive capabilities, and our executives’ willingness to support our proposed draconian control measures. We pursue immortality absolute security, knowing full well that we’ll never actually achieve it. We’ll strive for it as best we can, for as long as the bosses let us.
It’s that third bit that’s the greatest (and most vexing) professional challenge for us as security people. We can know everything in the world about how the bad guys are likely to attack us. We can build the most amazing policies and countermeasures that are 99 per cent effective in thwarting nefarious baddies. We can scrutinize the network like a famous ‘consulting detective,’intuiting intruders’ presence and motives from the most trivial of indicators. We can do darned near anything (as our funding approaches infinity), but we can’t accomplish a darned thing if the powers-that-be refuse to let us take action to mitigate a threat.
Consider the lack of company BYOD policy. Imagine that your executives decided to open the network up to any random device that anyone feels like bringing from home. I liken that to inviting Pennywise the Dancing Clown [5] to help himself from the company day care like it was a take-away buffet. Eventually – inevitably – your lack of a coherent security policy means that some well-meaning user will download your company’s most sensitive data to a PC that’s saturated with foreign malware. Yes, your refusal to set standards made things more convenient for users. You also made things muchmore convenient for the baddies, and left yourself wide-open to casual exploitation.
Worse than having no policy at all, though, is having one… and then refusing to enforce it. That’s the mark of a dangerously compromised security team. If your techs are not allowed to disrupt a manifesting cyber attack, breach, or compromise while it’s in progress, then there’s little point in your security techs showing up for work. The baddies will get what they want because the security team is powerless to stop them. The security boffins become little more than a crime scene clean-up crew. Why bother having a security team at all then? Or a firewall?
When stated plainly, most people agree that these are terrible ideas. Why would you leave your network open and vulnerable to enemy action? Why would you bind the hands of the people with the skills and the mission to protect you? That’s like disarming the gate guards at a nuclear missile silo – an unconscionable and indefensible decision. In many cases, I’ve found that companies do this out of simple ignorance: the top decision makers haven’t the foggiest idea of what sort of risk they’re assuming for the entire company when they make a decision that eviscerates their critical security controls. They simply don’t comprehend what they’re unleashing.
This might be forgivable in a small company, where the owner/operator can’t afford to hire dedicated IT people and lacks the technical skill-set to understand all the factors in-play. But how can this happen in large companies where the qualified experts are simply one phone call away?
Sometimes it’s because the Top Brass resents the security boffins; when their security people talk, it sounds like arcane gibberish. That’s fair; I’ve been in that situation. In other cases, the security people have to communicate through a higher-level management proxy who either can’t (or won’t) represent their case. I’ve been there, too. In most cases, though, I’ve found that the largest impediment to holding meaningful dialogue between the decision makers and the security experts is the lack of a formal risk acceptance program. Specifically, an inescapable requirement that whosoever commits the company to walk a dangerous path has to sign off an official records asserting that they know the risks, and personally take responsibility for any consequences that may arise from their decision.
I am a huge fan of having a formal risk acceptance programs. I’m a firm believer that the IT division shouldn’t drive the business [6]; the departments that make money are the reason that company either succeeds or fails in the marketplace. IT is a critical enabler and expert advisor on the best ways to accomplish the business’s objectives. That said, it’s ultimately the executives’ role to decide whether or not to take the business down a dangerous path. IT’s role, then, is to make sure that the executives make informed decisions, and thoughtfully accept the risks associated with their decisions. After that, we tech guys salute smartly and get to work. We may even whistle.
The key to all of this is that the decision makers can be made to understand why taking a shortcut across a metaphorical minefield may not be a cost-effective tactic. Yes, acting boldly to get ahead of the competition is laudable. On the other hand, blowing the metaphorical wheels off the business probably means the end of the driver’s career. The lady or gentleman piloting the enterprise needs to have a comprehensible grasp on what can go wrong, how bad it’ll likely be, and how hard it’ll be to recover from it. We security experts help them to run the maths and come to their own logical conclusion. Every decision constitutes a cost-benefit analysis of sorts;is the best outcome worth the impact of the worst outcome?
By shifting ownership of the consequences to the folks at the top of the pyramid, the IT department (and the cyber security team in particular) can rid itself of our reputation as the company’s bitter old curmudgeons who say ‘no’ to everything. We go back to being perceived (rightly!) as critical, trusted, enablers of the business. We’re cheerful partners who turn business needs into sustainable solutions. Meanwhile, the folks at the top start taking cyber securitymuch more seriously, and insist on enforcing reasonable, common sense defensive policies. No more do-as-I-say-not-as-I-do hypocritical practices. The job they save is, most definitely, their own. They’re vested.
Most importantly, your executives (and hopefully the other top business unit leads) will come to understand that there is no such thing as ‘perfect’ security … They come to realize that every decision has to strike a balance between functionality and security. Once the folks in charge achieve that level of enlightenment, conversations between cyber security staff and key stakeholders become much more productive, more reasonable, and a lot more civil. Almost like we were critical allies, and not petulant adversaries…
Ignorance is not bliss – it’s the shortest path to career suicide. Do your boss a favour and help save her from herself.
[1] Apologies to the Dread Pirate Roberts for borrowing one of his greatest quips.
[2] The unicorn comment is a running gag from my last employer. Someone would ask for a ridiculous policy change or service, and I’d snark off that I wanted a unicorn. As a reward for faithful service, my employees bought me a toy unicorn as a farewell gift.
[3] The inherent insecurity of systems part, not the unicorn part. That, I get.
[4] All anonymized characters in my columns are Bobs. It’s just a thing we do.
[5] The awesomely creepy bad guy from Stephen King’s It.
POC is Keil Hubert, keil.hubert@gmail.com
Follow him on twitter at @keilhubert.
You can buy his books on IT leadership and IT interviewing at the Amazon Kindle Store.
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.
