Are you a senior, non-technology executive or board member? especially so for a public company?
Have you had to deal with your CISO lately?
Isn’t it just the most fun you could ever imagine having?
Fifty Shades aside, let’s talk for a moment about why those conversations usually end up with only one person (not you) speaking while the other (you) waits patiently for the CISO to get out of their face. Other than the obvious reason, which is that even though the CISO had picked up the lingo, they still appear preternaturally oblivious to the realities of how businesses actually, you know…
I am referring to, of course, the phenomenon of using fear, that lovable, righteous cudgel, to bully you into submission: to approve budget asks, to provide extra funding for liquor and tranqs, to anything really. Every identifiable phenomenon must be given a name to make it easier to discuss, so as a public service today, I hereby christen this one as Breach Mongering.
And boy, it’s a whopper, isn’t it? Everybody goes on about it these days. You can’t read the news peacefully anymore without running into some security breach, privacy breach, data breach, breaches and more breaches. Then the CISO comes by and hammers that groove, and what are you gonna do except nod your head wisely, give them what they want, and… here is the really important part… hope nothing bad happens during your tenure?
Now why did I choose to highlight the last bit?
Because I am here to tell you that your instincts, the same ones that got you to where you are, are still right and good. You are not wrong to hope, because ultimately, the reality of actual breaches is that they are, by and large, both predictable and kinda random. Predictable because, at least in the case of for-profit hacking, the larger and more known you are, the likelier you are to be targeted. Random, because of the nuances involved in how breaches usually begin, which is why breach mongering is such an effective marketing tool.
And all the ones that make it to the media? That’s proving the point. Because if even security product and services companies with strong security cultures “get owned” (the security parlance for “got breached”) regularly, then it tells you that the common mantra of “we must invest more in security to make sure it doesn’t happen to us” is, perhaps, no more than a retelling of that old quip about the definition of madness.
So, truth bomb number one: you can’t make sure it doesn’t happen to you, and neither can your CISO, no matter how animated they are. Not if you want to stay in business. Because the only way you can be sure is not to rely on technology at all. It’s not technology’s fault; the only difference is that now theft doesn’t involve physical actions like breaking open a sensitive document cabinet.
What technology has done is make it easier to execute and detect such activities, which leads us to truth bomb number two: the world really hasn’t changed, no matter what they tell you. Stealing from others is a tale as old as time. All technology has done is make stealing faster, easier, and safer, in particular due to cross-jurisdictional issues in prosecuting digital theft.
What is happening here is that there is an entire industry set up to use breach mongering in order to present you with the illusion of control and scare you into spending money on “protection”. It starts with the vendors, who in turn have their own bottom lines to enhance and protect, and the venture capital industry, which has correctly sensed that this is a tremendous growth opportunity.
It continues with security leaders, many of whom have grown up in a world where technology rules. Not to mention how many CISOs out there got the title out of sheer desperation within their respective organizations. Don’t let that “C” fool you; it implies no business experience, just often being in the right place at the right time, which is normal for any emerging discipline. Decades ago, that was me. But as I have learned in the time since then, without sufficient business context, they simply cannot properly assess risk.
The next time you hear your CISO tell you about how they are afraid of “the things they don’t know that they don’t know,” you know what to do: nod your head wisely and wait for them to leave. You’re not in national security. It’s meaningless drivel.
“OK Barak, so how about Solarwinds?” (as of the time of this writing, that’s the big breach du jour). Here is the wrong lesson: we must invest more in security so it doesn’t happen to us. Sorry, no, can’t make sure of that. Here is the right lesson (go ahead and verify with general counsel): we may finally get a better definition for liability associated with communicating about a public company’s security posture, which should assist your insurance company in refining your D&O premiums… that is, if the case doesn’t get settled out of court. Which it very likely will and then we’ll be back to good ol’ “liability guesswork” type of breach mongering, which in turn is fabulous for security vendors.
My goal here is not to say that investments in security are unnecessary. You already know that they are necessary – your gut tells you that this is true, and I am telling you to trust your gut. It has gotten you this far. But I am also here to tell you that you should let it guide you in the other direction as well. If your CISO is all fire and brimstone in the next board meeting, and especially if they can’t even communicate with you in a way that makes sense to you, don’t let them bully you. Or perhaps get a bit of external validation; having a business-forward security leader perform a little review may help you tease out the real from the imaginary.
Or, you know… nod your head wisely, write that check, and wait for them to leave.