Playing It Straight: Building A Risk-Based Approach To InfoSec What a crooked haircut can teach you about framing the discussion about organizational security goals and strategies.
I don’t remember much from my school days, but I do remember one particular statement from one of my teachers. During the course of delivering the lesson, she illustrated her point by remarking: “If you hold your head crooked, you get a crooked haircut.” You might ask yourself what exactly this means and what this has to do with information security. Allow me to elaborate.
What my teacher illustrated with that phrase was the idea of building the proper frame of reference. The haircut analogy illustrates this as follows. A barber or stylist approaches a haircut from his or her frame of reference. Generally, the person giving the haircut is standing up, and thus their frame of reference is based on that (vertical). The person receiving the haircut is generally seated. If that person holds his or her head straight, then both people share the same frame of reference. If, however, that person tilts his or her head, his or her frame of reference becomes different than that of the barber or stylist. As a result, what appears to be a straight haircut to the barber or stylist will in fact be a crooked haircut to the customer.
In other words, if we want to achieve a certain outcome, we have to work towards it from within the correct frame of reference. Otherwise, no matter how much time, money, and resources we invest into our efforts, the outcome may be different from what we expected.
We can extend this analogy to the security realm and learn some valuable lessons from it. Almost all organizations now realize that they need to build or enhance their security programs. Of course, strategies, approaches, and methodologies will vary widely in this endeavor. Results will also vary widely. When undertaking this effort, frame of reference becomes extremely important. If an organization does not properly calibrate its efforts, it can end up investing a lot of time, money, and resources into a security program that misses the mark. In other words, having the right frame of reference guides a program to success. Building or enhancing a security program in a “crooked” frame of reference can ultimately lead to a program that does not adequately address the needs of the organization and does little to improve its security posture.
I’d like to illustrate this concept by sharing a few examples of incorrect frames of reference that I sometimes see in organizations. My goal is to help organizations understand the concept and identify any potential areas for improvement internally.
The Program of “No”
Unfortunately, security professionals sometimes get a reputation for being the people in an organization who always say “no.” In recent years, security has become an integral part of most organizations. But it’s important to remember that the main purpose of an organization is to be successful in its particular line of business. Of course, a business cannot operate without accepting some risk.
A security program’s ultimate goal should be to mitigate risk while enabling the business to be successful. For example, if the business needs to move to the cloud in order to stay competitive, the security organization should focus on how to mitigate and minimize risk before, during, and after that move.
Unfortunately, the frame of reference of many security organizations is structured around a knee-jerk “no” response. The trouble with this is that many areas of the business very quickly learn to go around the security team, rather than work cooperatively and collaboratively with it. In some cases, the security team may even be seen as an adversary. The end result is that the organization’s security posture does not improve at all -- in fact, quite the opposite.
The program of “no” frame of reference most often results in exactly the opposite of what it intended. A frame of reference that seeks to build trust with the business to enable the business to operate more securely produces much better results. After all, security is a business function and should operate accordingly.
Not Focusing on Risk
I, along with many others, have previously written on risk-based approaches to security. This approach is quite strategic in nature. It involves prioritizing risks and threat to the organization and subsequently working through mitigating those risks and threats. Unfortunately, some organizations don’t build security programs from this frame of reference.
There are a number of different types of approaches I’ve seen that are not risk-based in nature. For example, organizations may build their frame of reference around intelligence, certain categories of technology, certain skillsets, or other things. Each of the examples I’ve mentioned is important and has its place in security, but none of them should be used as the basis for a frame of reference. For example, although intelligence is important, building a security program solely around intelligence causes an organization to rely too heavily on what someone else tells them is important, rather than the real risks and threats to their organization.
Building a frame of reference around mitigating risk allows an organization to incorporate multiple techniques to reach the desired end goals. But the risk-based frame of reference ensures that the organization will properly address the risks and threats it faces regardless of the techniques it employs. Alternate frames of reference address some risks and threats, but they do so informally, rather than strategically. That leaves an organization vulnerable.
I’ve seen some organizations that run from one “strategy” to the next, following the latest fad, buzzword, shiny object, or otherwise. The fault in this frame of reference is obvious. Fads come and go, but at the end of the day, they were not defined to address the risks that an organization faces.
Of course, new technologies, novel approaches, and fresh thinking can always be used to improve and strengthen a strategic approach to security. But again, they need to be incorporated within a strategic frame of reference. The “new” cannot itself be the frame of reference. That often results in organizations investing heavily in areas that don’t actually mitigate much risk for them -- in other words, chasing ghosts.
Unfortunately, there are far too many “crooked” frames of reference within which an organization can find themselves. A strategic, risk-based approach to security can help an organization build a frame of reference geared towards its needs. Having a “straight” frame of reference is critical for properly guiding the efforts of a security organization to adequately address the risks and threats facing the organization.
Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio