by Pete Herzog
An attack takes down the web server. An office worker notices there’s no response and calls IT support. So a member of IT support goes to the server room.
He sees the power is on and all the network cables look okay. He goes to the keyboard to login and sees there’s no shell. Nothing. Where’s the Operating System?
He thinks they got hacked. So he freaks out and calls the CISO, “The web server is dead. What do I do?”
The CISO answers, “Don’t panic, I can help you. First, let’s make sure it’s dead.”
There is a silence. Then a loud smash is heard. Back on the phone, the IT support person says “OK, now what?”
* * *
Tell me your cybersecurity strategy. If you have a head for business you probably just said a few words to yourself. It was short. It was concise. It was more information than sentence. You know your cybersecurity strategy by heart.
But if you’re a cybersecurity consultant then you’re probably still mumbling your pitch. The thing is that unless you’re in the business of selling cybersecurity products and services, you really only have one cybersecurity strategy: don’t lose money. And it’s an integral part of any modern business plan.
So what exactly is a cybersecurity strategy? A strategy is a plan with the set of goals and objectives to get a specific result. A cybersecurity strategy is a cybersecurity plan with a set of cybersecurity goals and cybersecurity objectives to get cybersecurity as a result.
People who are into selling cybersecurity strategies like to say it also includes specifics on tools and metrics. But that’s really just a trick of adding tactics to the strategy so it doesn’t sound so useless.
Yes, useless. Fun fact for you. A cybersecurity strategy is useless. There you go. A free tidbit for you. Enjoy. If you’re on Jeopardy someday, the category is business and the answer is “useless” then you’ll be a big winner. You’ll thank me.
A CEO gets lost deep in the mountains after dark. He whips out his trusty sat phone and calls the office to look up his location on a map. A cybersecurity consultant happens to pick up.
The CEO explains his situation and tells him that he needs the fastest way out of the woods.
The consultant is heard tapping furiously at the keyboard, mumbling to himself as he thinks out loud, and after some time gets back on the phone, “You need to just fly out.”
The CEO shouts, “How the hell do you expect me to grow wings and fly out?!”
The consultants answer, “How should I know? I’m a strategist.”
* * *
The truth is that if you don’t have a cybersecurity strategy for your business it’s because you’ve inherently got one. You’ve never bothered to formally make one because it’s so obvious. Like how you don’t have a formal not dying strategy.
Your cybersecurity strategy would likely say you don’t want threats of any sort affecting your assets of any sort now or in the future. Obvious.
It’s such a no-brainer that if time-travel were invented next week and criminals could go back in time to rip you off then your cybersecurity strategy would still be obvious enough to also include that you don’t want to lose assets yesterday too.
And you didn’t have to even write it down. Or pay a cybersecurity consultancy a Monopoly-style wheelbarrow full of money to do so. So if it’s useless, why is there such a focus on a cybersecurity strategy? Because tactics are hard.
Too harsh? No, appropriately harsh. It’s easier (and safer) to make a cybersecurity strategy sound like something important despite meaning nothing than it is to make tactics that work.
You look better longer too because a cybersecurity strategy can go on meaning nothing a really long time but tactics that mean nothing get noticed right away. And I mean that in a bad way not a Hollywood starlet way.
I know it’s no surprise to you but cybersecurity is hard. Not only do we not know all of the possible threats but even if we did we still couldn’t know all of the shapes those threats could change into.
Like if getting wet is a threat then what form will it take? Will it be snow, encroaching glacier, broken pipe, condensation, mis-forecasted hurricane, or the tears of a CISSP trying to create cybersecurity tactics?
But knowing about threats and what to do about them is not needed or important in a cybersecurity strategy.
No, a cybersecurity strategy, for real, looks like this. And this one is really truly for real, and swear-to-holy-stuff looks like this. I copied it just like this from an official cybersecurity strategy and then lightly anonymized and generalized it:
OUR CYBERSECURITY STRATEGY
- Securing Company systems – Our clients trust our company with their personal and business information, and also trust us to deliver services to them. They also trust that we will act to protect and advance our business interests. We will put in place the necessary structures, tools and personnel to meet its obligations for cybersecurity.
- Partnering to secure vital cyber systems outside the company – Our economic prosperity and our cybersecurity depends on the smooth functioning of systems outside the company. In cooperation with partners and clients we will support initiatives and take steps to strengthen our cyber resiliency, including that of our critical infrastructure.
- Helping our users to be secure online – We will assist our employees and clients in getting the information they need to protect themselves and their families online, and strengthen the ability of law enforcement agencies to combat cybercrime.
- Reflects our values such as the rule of law, accountability and privacy
- Allows continual improvements to be made to meet emerging threats
- Integrates activity across the whole company
- Emphasizes partnerships with government, business and academe
- Builds upon our close working relationships with our allies
Now was there is a single thing in there that REALLY needed to be written down? How many meetings did it take to write that? How much consultant blood money?
What’s in there?
- You will use cybersecurity to not lose assets
- You will use partners with cybersecurity to not lose assets
- You will help others use cybersecurity with your stuff to not lose assets
Check. Check. And Check! Got it! The message is don’t lose assets here just in case you missed it or wanna pay someone to tell you that. And do YOU have that? And I’m saying it’s OKAY that you don’t. Because there’s nothing in there that should be a surprise to you. It’s all obvious.
Super like wearing a cape obvious. And not just obvious but actually illegal to not consider doing things like following “rule of law”.
Not to mention the bit about values. Seriously, when’s the last time you thought, “Hey, I’m gonna undertake this task here and I’m not going to do it according to my values. Nope.” Assuming you know what your values are.
Truthfully, I don’t think I can articulate my own values but I’m pretty sure it would take serious, conscious effort to do something that was not my in my values. Then again to express in writing that I will follow my values has no value to the people who don’t know what my values are or can even articulate their own.
But it’s a plan. Right? We need plans. And a cybersecurity strategy is a plan. Without which we can’t be a cohesive team making solid cybersecurity, right? Right?
Wrong. You don’t need fluff telling you that your partners and clients and their families need you to have your act together and not lose their assets or them as an asset or their money which is clearly an asset. You know that. And you probably already have that in your business strategy under the heading Don’t Lose Assets.
But to have a cohesive team making solid cybersecurity you do actually need to outline what you do. Yes, you do.
And luckily for you, in cybersecurity, that do is to prevent losing assets. And everyone who wants to be in cybersecurity of any kind already knows this and cares about it and is in no way not thinking that their job is the opposite of not losing assets.
Those cybersecurity professionals aren’t freaking out about the cybersecurity strategy. And telling them is just so not helpful it’s offensive. You see, a cybersecurity strategy is about as effective as someone telling you to calm down and relax when you’re having an argument.
No, you don’t need strategy. What you need are tactics. And you need to hire the people who know cybersecurity tactics.
Cybersecurity tactics are the rubber meets the road. They are the match striking the slate. They are literally the packets smacking the server. They are the way you do the thing you do to the things you have to to have cybersecurity. And that’s hard.
But you don’t need a cybersecurity strategy because you’ve already got one.
* * *
All uses of “cyber” in this column are for keyword use only and by no means does the author imply that using such language is appropriate or cool. Furthermore this author does not condone nor deny the use of the word cyber in any way because the author is okay with the word in general, despite its original definition, because language is a living thing and meanings change.