Enough Security - Part 1
Are you spending enough or too much?
How Much Security is Enough? Projecting Your Inner Coder - Revisited
Why are we revisiting this topic that I wrote about in 2020? To be honest, two reasons:
Because in the two years since we discussed this when I was leading the Mass Technology Leadership Council CISO group here in Boston and now, not much has changed with the feedback we see from CTOs and CPOs [ that is Chief Product Officer and not Privacy Officers ]
Whether you believe the hype or not, I think we are headed into a time of austerity in information security and the topic is more relevant than ever.
As before, we continue to hear the same frustration from the business and technology leaders in almost every organization we interact with. To paraphrase:
“That CISO comes to me every day with more work for my team. How do I know if we’re already doing enough or if we need to do more? When does it stop?”
From the first panel discussion we conducted on this topic in 2020 until today, we have collected sentiments around this to see if the needle was moving in the right direction. Unfortunately, our very unscientific study seems to have drawn the same conclusions. Given that, let’s re-state our perspective:
Many of my CISO peers talk about controls, vulnerabilities, threats, and risks. While all are certainly worthy of discussion, their CTO/CPO counterparts, frankly, don’t care. They want a simple answer to a simple question. CISOs (me included) have said the answer is not that simple, as there are a ton of variables at play, and then we launch in to explaining them. Unfortunately, in many cases, our partners start hearing the teacher from the Peanuts cartoons.
Security needs a better talk track. Let me make an attempt to simplify it for our partners (and give a soundbite for my fellow CISOs):
“The #1 risk to our business is not being in business. Enough security ensures that we stay in business.”
That seems a bit unsatisfying when you first look at it, but here is a second attempt – providing a bit more detail (and projecting my inner coder).
Enough Security Function
{
If ([customer expected security] – [your security]) > 0 then
— You have work to do
Loop minimum ([Rate of Change Acceptance] or [Cash to execute])
Else
— You might be spending too much on security
If [can convince customers more security is worth money] = TRUE then
— you are good
Else
— Reduce your spend
Decrease [your security] = [customer expected security]
}
Seems better, but probably needs a bit more explanation. As we dig into the pseudo-code, we can see three major themes: Customers, Change, and Cash. Let’s break these down:
Customers
What is the business goal when it comes to customers? Simple: keep the customer buying from the company. If they stop buying from you, there is no money coming in, and eventually the #1 risk occurs, and the company is out of business. Period.
So, let’s unpack the function. What is customer expected security? Here is what I learned in my years as a product manager (before my security career). Customers don’t generally buy security (caveat: unless you are a security product. Even then, only kinda). They just kind of expect it to be there. Like the other ‘ility’ items (usability, scalability, etc.), security is very rarely a positive product differentiator. This means that people are unlikely to buy more of your product simply because it has more security. They really want more features and twirly UIs.
On the flip side, though, security can be a negative product differentiator if your product is not ‘keeping up with the Joneses’. Customers want to trust that you are protecting their interests – and one of the low friction ways to do that is to compare your product to your competitors. Do both products ask for a password? Has one been breached? etc. I know it is not scientific, but it does seem to be the norm.
Digging further in we hit – ([customer expected security] – [your security]) – This makes two big assumptions:
One: You have an understanding of what your customer’s security expectations are. Product Managers would call this ‘competitive analysis’. I would suggest to all of my CISO peers that this is a function you need to consider adding to your portfolio (and a great opportunity to partner with product management). This can be a great enabler – nothing works better with PMs and Sales folks than articulating how they are disadvantaged because we are ‘not keeping up’.
Two: You have a sense of where your security is at. Let’s face it CISOs, if you don’t know this, you might not belong in the gig. You have a fiduciary duty to the company to understand and manage this.
Ultimately, you end up with one of two outcomes: You either need to spend more, or potentially spend less.
We are going to re-visit the two additional parts of this series in the coming weeks.
Stay Safe
- Marc French