Taking a day off work, I’m thinking about how work gets structured. Use standards such as CIS Critical Security Controls, NIST SP800-54b, and the National Initiative for Cybersecurity Education (NICE). Define what the team will do and, just as important, what the team will not do.
The common belief in CyberSecurity is that end-users want security that’s all but invisible. But studies are showing a surprising fact: people want to be involved and want to put in some effort. Let’s take a closer look at the IKEA Effect and Effort Justification cognitive biases and see if we can’t piece out what’s going on.
It’s time to rethink risk – both how to operationalize it and how to define it. With all the incompatible views of risk from different stakeholders through an enterprise, it’s hardly surprising that so many organizations struggle to get beyond checklist security mentality.
“Start with a listening tour: What (those other LOB executives) care about, what their business objectives are,” says J. Wolfgang Goerlich, advisory CISO of Duo Security. “You must interpret and explain security needs as business outcomes. Security can no longer be about avoiding the bad things. It must align to the business direction.”
I’ve been vocal about my disillusionment over risk management. It has it’s place, to be sure. It was my starting point. And I gave a number of talks advocating risk management, say 2008-2015, including one for the Society of Information Risk Analysts (SIRA). Risk management techniques are excellent at prioritizing efforts within the security function. But having built programs around risk management, I’ve realized the limitations.
People don’t think in terms of risk. Risk treatment tables don’t resonate with our stakeholders. High or low is meaningless without context. People don’t get it.
People also don’t act on risk. Wendy Nather coined this “cheeseburger risk management,” a term which I love. People will eat cheeseburgers even though they know the risk. They’ll eat right up until they have a heart attack. Only then will people get serious about what they eat, and as evidence shows, that discipline only lasts for a short time.
This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.
With apologies to Yves Saint Laurent, who once said fashion fades but style is eternal. While we’re all caught up in what’s changing, it’s imperative to look at aspects of CyberSecurity that are, if not eternal, certainly are long-lived.
People are stressing their jobs, their health, their family, and their friends. Meanwhile, people are working from home with lessened security. These two are a dangerous combination.
Small and midsize businesses (SMBs) have long had a reputation for being behind the curve in cybersecurity, especially compared with large companies that have more resources. A new report shows SMBs are just as capable of defending themselves, despite facing similar challenges.
“We see time and time again that SMBs are actually punching above their weight,” says Wolfgang Goerlich, advisory CISO with Cisco Security. “They’re doing better than we would’ve anticipated.”
Overall, the numbers indicate small businesses are placing a stronger focus on security over time. The same sentiment is echoed in data from The Manifest, which recently released results from a survey of 383 smaller organizations, most of which had fewer than 50 employees.
Goerlich attributes the rise in public scrutiny to two factors. One is the realization of supply chain and third-party risks, which are prompting customers to ask more questions. Even small suppliers selling tools are getting hit with inquiries more often. Another is the trickle-down effects of regulation and compliance requirements, which usually affect larger vendors first and then are passed down to smaller suppliers. Now, they’re reaching the SMBs surveyed here.
“If you’re a customer, your voice alone may not move the needle … but the voices of multiple customers move the needle in a significant direction,” he says of the rise in inquiries. Requirements for today’s SMBs are issues that enterprises were struggling with six years ago.
One thing I’ve long called for is companies to demand more from their vendors, in terms of security. This creates market pressure. This ties security to revenue. And ultimately, these steps result in improved security because customer demand results in executive support for security teams.
Good security delivers a business result and, in doing so, increases the security posture. Here, the business result is keeping existing customers and attracting new ones. The last six years has seen this call turn into a reality.
This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.
Of all the cybersecurity myths about small to midsized businesses, the most damaging is the widely held believe that SMB leadership doesn’t take security and data privacy seriously, says Wolfgang Goerlich, Advisory CISO at Cisco Duo. This myth must be stamped out immediately, he said. And while it’s myth No. 8 in a new Cisco report, “it really needs to be myth one.”
“Maybe that was true 10 years ago,” Goerlich said. “The executive teams of these organizations are taking security and data privacy very seriously. Every other myth downstream is effected by that awareness and visibility at the top.”
Cisco’s latest security report, based on a survey of almost 500 SMBs, aims to debunk myths about smaller companies’ security posture and threats. This is important because the security industry has traditionally been biased against SMBs, perpetuating the myth that they don’t prioritize cybersecurity, the report says.
To come up with the 10 myths debunked in the report, Cisco compared responses from SMBs (250-499 employees) versus larger organizations with 500 or more employees. It shows that SMBs face the same threats and potential damages from an attack and they take security preparedness every bit as seriously as their larger counterparts.
This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.
Charlotte Perriand was inspired by the American cowboy, stretched out, feet up, lounging after a long hard day’s work. This inspiration carried over into the LC4 Chaise Longue chair. Perriand was also a bit punk, and would fit in well with today’s hacker and maker community. “Perriand embodied l’esprit nouveau. She was often pictured wearing a homemade ball-bearing necklace, giving her the look of a lithe component plucked from a finely tuned machine.” Her impressive career stretched decades and focused mainly on architecture. But back to the LC4 Chaise Longue, designed early in her career while with Le Corbusier. More specifically, back to the inspiring metaphor.
Technology advances
at the speed in which new metaphors are identified, shared, adopted, and
absorbed. Metaphors make the new feel familiar. Metaphors provide the language
and mental models for discussing and thinking. Our minds love easy to recall
and easy to consider ideas, and so these ideas are more readily adopted. But
then a curious thing happens. The more we learn and play with the idea, the
less we need the metaphor, and eventually the metaphor fades away altogether. This
is the point where a new set of innovations and ideas emerges, along with a new
set of metaphors, and the cycle repeats.
Around 1930, Perriand applies the metaphor of the lounging cowboy to the LC4 Chaise Longue. Twenty years later, around 1950, Børge Mogensen applies the metaphor of Perriand’s chair to Morgensen’s Hunting Chair. And twenty years after that, we have lawn furniture inspired by Mogensen and Perriand. Nearly a hundred years later, none of us look at deck furniture on a cruise ship and see a cowboy. We don’t need to. Culture has absorbed the metaphor.
The same pattern happens in IT, albeit at a much faster pace, leading to three considerations for designing security capabilities. First, cultivate a garden of metaphors. We need inspiration to innovate and, perhaps more importantly, we need to inspire to our organizations. Second, don’t move security along faster than the metaphor. Organization need time to adopt and absorb our metaphors. Go too fast, skip metaphors along the way, and we’ll lose people, which will hinder or even stop the organization from adopting our security practice. Beware the curse of knowledge. Finally, increment the metaphors while incrementing the design. Think in stages.
From the castle
to the perimeter firewall, from the perimeter to network segmentation, from
network segmentation to micro-segmentation, take it one comparison at a time.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.