Rational Cybersecurity Q2 Update
Since launching the Rational Cybersecurity for the Business book project to kick off the New Year, I’ve made great progress, completing more than 20 security leadership interviews, and drafts for 5 of the 10 chapters.
Rational Cybersecurity for the Business’s target audience are security leaders and professionals seeking to fully align their security programs with all levels of an organization – from the Board member overseeing risk on down to LOB executives allocating budgets, line managers or supervisors, developers or IT system administrators, and the end users who can become your greatest asset or liability.
A Cybersecurity Pareto Puzzle
Over the years, in countless consulting engagements and research projects I’ve looked at virtually every cybersecurity domain and have often found that an organizational or political challenge was the root cause of a technology problem. That there is no technology silver bullet, no foolproof solution to risks.
In Rational Cybersecurity for the Business, I framed this question: What is the Pareto Principle (80-20 rule) for cybersecurity? What 20% of the work can we do to get 80% of the benefits?
The Cybersecurity Pareto Question became my organizing principle. What I’ve found is that even doing just the 20% creates enough work to spread across virtually all cybersecurity domains. Businesses of any complexity still need a broad control baseline. However, the degree of emphasis to put into each control, what practices to emphasize, and how the pieces fit together varies greatly for each enterprise. As Jack Jones, Chairman of the FAIR Institute likes to say, “For most companies, security spend is like the advertising budget. You know you’re wasting half of it, you just don’t know which half.” Better to take a risk-informed approach!
Risk aside, the following are universally important to cybersecurity efforts: Security culture and governance; IT simplification and rationalization; Access control with minimal drag on the business; and Resilience capacity. Take a look at how this shapes the outline:
- Chapter 1: Understand the Cybersecurity Business Landscape
- Chapter 2: Analyze Cybersecurity Roles and Motivations
- Chapter 3: Establish a Control Baseline
- Chapter 4: Simplify and Rationalize IT and Security
- Chapter 5: Manage Risk in the Language of Business
- Chapter 6: Create a Strong Security Culture
- Chapter 7: Put the Right Security Governance Model in Place
- Chapter 8: Control Access with Minimal Drag on the Business
- Chapter 9: Institute Resilience, Detection, and Response
- Chapter 10: Pull it all Together with a Rational Cybersecurity Roadmap
I’m about halfway through the first draft at this point, but less than 25% of the way through the desired number of interviews. I want to thank all the folks I’ve talked with so far for some amazing insights. These confidential interviews help me baseline where different types of businesses are on the governance and maturity continuum; to understand what’s working and what it takes to actually align cyber with the business; and brainstorm Cybersecurity Pareto Puzzle solutions.
On my next update, I’ll try to give you some preliminary interview findings. To do that, however, I need more of them. If you’re a security leader, or a business leader interested in cybersecurity, please contact me for an interview!