Can We Talk? Finding A Common Security Language

How engineers can get beyond the crippling vocabulary and semantic barrier of infosec and actually communicate about cyber risk with bosses and business colleagues.

Jason Polancich, CEO, Musubu

September 29, 2014

4 Min Read

Put yourself in the shoes of your CEO.

Good morning, Mr. or Ms. CEO! Quick question -- and I need you to think fast: What’s the top cyber risk to your enterprise this quarter, and how does it affect your business’s bottom line?

It might help to think back to your last status meeting with your security team. In the meeting are all your department heads, including your CFO, COO, CMO, CTO, and CSO.

Imagine that you’ve come to the half-hour set aside for the CSO and his lead infosec engineers, and, on the slides, you see one summarizing your IT security and cyber defense spending over the first half of the year. Things like antivirus, malware detection, and anti-phishing show up, as do $ symbols followed by healthy numbers beside things like IDS/IPS, firewalls, signature detection, log aggregation, netflow analysis, and packet inspection.

Then you see a slide summarizing your top cyber security issues over the first half of the year: words and phrases like Zeus, Citadel Trojan, Backoff POS, Man-in-the-Middle, Dorking, Beaconing, Packet Reflection.

So, what is the top cyber risk to your enterprise this quarter, and how does it really affect your business’s bottom line?

Imagine you still can’t answer? You wouldn’t be alone.

Today’s enterprises, and their CEOs and board members, are increasingly impacted by everyday cybercrime. However, despite swelling budgets and ever-expanding resource allocations, many enterprises are actually losing ground in the fight to protect vital business operations from cyberharm.

While there are many reasons for this, none is as puzzling as the inability of executives and other senior management to communicate with their own security professionals. One major reason for this dysfunction hides in plain sight: There is no mutually understood, shared, and high-level language between the two sides via which both can really connect, perform critical analysis, make efficient and faster decisions, develop strategies, and, ultimately, work with less friction.

In short, it’s as if there’s a conversation going on where one side is speaking French, one side Russian, and they’re working through an English translator who’s using pocket travel guides for both languages.

In other business domains, such as sales or financial performance, there are time-tested and well-understood standards for expressing concepts and data -- in words. For example, things like “Run Rate” or “Debt-to-Equity Ratio” allow those people pulling the levers and pushing the buttons in an organization’s financial operations to percolate up important reporting for business leaders to use when steering the enterprise ship.

This is all made possible by a shared language of terms and classifications.

For the area of business where cyber security and business overlap, there’s no common, intuitive, business intelligence or key performance indicator (KPI) language that security professionals and business leaders share to communicate effectively. No common or generally accepted business terms and metric specifications in place to routinely track, analyze, and express how cybercrime affects a business. And, for the leaders and security professionals alike, this gap affects both sides equally.

How do businesses get things tracking?
There is no silver bullet that will work for every organization. But there are simple, practical ways to help the two sides begin communicating better. To start, enterprises can establish a standard, high-level cyber ontology within their organizations. In other words, create a specification for how cyber concepts are described and tracked. This will enable engineers on the security side to express lower-level, cyber operations information in ways that management can leverage for planning, strategy, and, more fundamentally, good old-fashioned discourse.

Once established, data can be gathered together, mapped to this specification, and then analyzed and exchanged. It sounds simplistic, but too few organizations diligently collect cyber data in this manner, and thus they lose out on the opportunity to create a common language for expressing important concepts.

For example, most cyberthreats and hits that an organization suffers can be expressed in terms of: Who did what to whom (or against what), how it was done, and what happened as a result? For example:

  • Actor

  • Target

  • Effect

  • Practice

From here, as things occur, macro-level categories of items can be created underneath each of the high-level groupings such as:

  • Actor. State-Sponsored, Organized Crime, Hacktivist, etc.

  • Target. Web Servers, Point of Sale (POS) System, Cloud Storage, etc.

  • Effect. Website Downtime, Data Stolen/Leaked, Vandalism, etc.

  • Practice. Network Intrusion, Social Engineering, Malware, etc.

As entries are made, other data can also be added. Enrichment data and simple metadata, such as date and time, and specific micro-level information, such as "Malware: Citadel Trojan," can be entered and then analyzed. Everything from simple summary rollups to time series analysis, and more can then be performed against this data in ways that resemble traditional KPI-driven formats found in sales or financial performance.

What’s more, once data is collected in a standard format, it’s very easy to connect it to KPI-type data from the other key business domains to create insights into how your business, your suppliers, your customers, and more are being affected by cyber events. IT and security budgets become more amenable to fine-grained assessment and continuous quality checks and improvements.

In other words, security engineers and those who lead them can begin to talk the same, shared, data-driven language. It’s a simple, inexpensive approach with big, persistent results.

About the Author(s)

Jason Polancich

CEO, Musubu

Jason Polancich is co-founder, app designer and digital marketing lead for Polancich is also a linguist, software engineer, data scientist, and intelligence analyst. He originally founded HackSurfer/SurfWatch Labs (Pre-VC), a cyber analytics firm founded in 2013 that provides highly accurate, timely and actionable information to businesses about cybercrime threats. Polancich is also the founder and lead architect of VandalsSmile, a data-driven, small business marketing and lead generation network making big data work practically and usefully for owners.

Polancich is a serial entrepreneur focused on solving complex Internet commerce, data analysis, and cyber-defense problems. Novii Design, a company he co-founded in 2005 with Rebekah Lewis-Polancich, was based on his contributions to cloud architectures, distributed computing, data analysis and systems integration. The company assisted the US intelligence community and Department of Defense in building some of the largest data warehouse and analysis systems ever put into operation within the government and defense contracting sectors. Novii Design was sold to Six3/CACI in 2010. Polancich is also a service-disabled veteran of the U.S. Army. 

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights