How to measure security efforts and have your ideas approved

In this interview with Help Net Security, Malcolm Harkins, Chief Security & Trust Officer, Epiphany Systems, talks about the challenges security leaders must face when communicating with their company’s management and what to do to overcome them.

security leaders challenges

There are many challenges a company’s management has to face and many communication hurdles to overcome. What is challenging security leaders the most?

Leadership is the art of motivating others to want to struggle for shared aspirations. The security leaders challenge is not only to do this for their direct organization but do it across the enterprise from the end user to the business decision makers, and as well across all of IT from infrastructure to operations, to app developers. So, in many ways no different than what the CEO must do to get a result.

But for the business the result is easier in some ways because you can measure it in the form of revenue and net income. And all employees are rewarded/paid based on those business results. So, the real challenge for the CISO is one of becoming in essence the CEO of the security business and determining how to effectively motivate and work with and through every employee toward a common result – enabling the business while achieving and maintaining an appropriate level of security. If you can do this and do it effectively I call that Protect to Enable.

What would be a good strategy for security leaders when presenting their ideas?

A story is data with a soul. I like to consider myself a choice architect – how I architect a choice will determine in many cases the outcome of the idea presented. And being able to articulate how your idea will affect risk, total cost of control, and business velocity will determine not only if the idea has merit but will it be approved and implemented. If your idea can lower risk, lower total cost of controls, and reduce friction to improve business velocity you have a substantially higher likelihood of having your idea approved.

If perhaps security is under funded you may not be able to lower total costs but you have to show the potential material exposure the business may face and the options available to manage/mitigate the risk while enabling the business objective.

What would be the best way for security leaders to communicate with their peers?

Pick up the phone and/or meet them in person. Having broad and deep relationships across your organization is key in your ability to tell a better story because you have improved context which allows you to demonstrate you can not only protect the business you can help enable a better business outcome.

Could you explain “reachability” and “risk”? How do these frameworks change communication?

In the Secure Software Summit, Bryan Smith from Risklens and Rob Lundy from ShiftLeft and I delve deep into reachability & risk. Risk in the definitional sense is the potential for harm – in the cyber content we need to think about that in terms of the significant events that could cause a material exposure for the business.

There is a difference between what is merely vulnerable and what is exploitable within the depths of the environment – not just at a surface level exploit. Where you have some critical asset or data that is reachable by an attacker who can pivot from that initial compromise or foothold daisy chaining their way across devices, identities, or applications to something that matters. Something that can create a material event/exposure for the business.

In the world of cybersecurity, the most frequently asked question focuses on “who” is behind a particular attack or intrusion – and may also delve into the “why”. We want to know whom the threat actor or threat agent is, whether it is a nation state, organized crime, an insider, or some organization to which we can ascribe blame for what occurred and for the damage inflicted. Those less familiar with cyberattacks may often ask, “Why did they hack me?” As someone who has been responsible for managing information risk and security in the enterprise for 20-plus years, I can assure you that I have no real influence over threat actors and threat agents – the “threat” part of the above equation.

These questions are rarely helpful, providing only psychological comfort, like a blanket for an anxious child, and quite often distract us from asking the one question that can really make a difference: “HOW did this happen?” But even those who asked HOW – have answered with simple vulnerabilities – we had an unpatched system, we lacked MFA, or the user clicked on a link.

The current focus on the WHO, WHY, and HOW based on vulnerability does the industry and everyone else in general very little service. As I mentioned earlier and we discussed in our session the primary variable in the security risk equation that we as defenders have the maximum chance to impact risk is where my organization is exploitable.

From a consequence and impact perspective there are only three primary consequences we need to focus on Confidentiality, Integrity, and Availability. Each of these have different potential impacts to an individual, to an organization, or more broadly to society depending on the technology or data attacked. When we examine “how” attacks are accomplished we see three core targets for attacks:

So what must always be analyzed, acted upon, and reported to management on is HOW an intrusion or attack could be successful, so we can provide prescriptive recommendations on how to eliminate attack paths as well as where to prioritize detection of anomalous activity to intercept attackers before a material event occurs. If we do these things right with the proper business context we can change how we communicate and make decisions with the business that will lower the reachability an attacker could have within our organization and thus demonstrate true management of cyber risk.

Based on your experience, what industries are particularly vulnerable at the moment? Are there any industries where security leaders are doing particularly well? Why is that?

Everyone is vulnerable. All industries. All geographies. But not everyone is exploitable to a material exposure. I wouldn’t per se list an industry that is better or worse than others, but I do know peer CISO/CSOs who do a substantially better job than others. They have lower exploitability of their enterprise to a material exposure. Why? They are risk takers and are constantly pushing the envelope to innovate and use leading edge technology to create a bend in the curve of risk. They can do this because they sense, interpret, and act upon risk with better acumen and agility. No different than any great business leader who is ahead of trends and anticipates business threats regardless of industry. The good ones will always outperform.

Don't miss