It’s critical to your business to think critically. You must especially think critically about risk and what it means to your mission.
Cybersecurity risk is no different. Yet most vendors would have you think otherwise. The business of cybersecurity, like every other business, is driven by profit, and few things result in bigger profits than fear. Nearly every vendor today uses fear-mongering tactics to increase the chances that gullible customers will fork over loads of money toward their “state-of-the-art” solution. They use spooky language like ransomware, advanced persistent threats, privilege escalation, lateral movement, data exfiltration, and cybergeddon.
In fact, some friends of mine (who shall remain nameless) from another cybersecurity organization (which shall also remain nameless), went through tremendous effort to call attention to this in the most beautiful way: they set up a booth at this year’s RSA Conference masquerading as old-timey snake-oil salesmen, offering old fashioned tinctures, salves, and liniments for the “good people of the world wide web [to save them] from cyber outlaws, APT bandits, virtual pirates, malware hoodlums, and the sort.”
F.A.K.E. Security1 did more than just poke fun at other vendors and rattle some feathers2. They highlighted a significant problem in this industry: customers do not know what they need and do not have the requisite knowledge to apply key critical thinking to the data being thrown their way. This results in vendors using flashy displays, fancy language, and scare tactics to convince customers they need to buy, buy, buy!
Fortunately for all of you, a little bit of critical thinking can go a long way.
Critical thinking is broadly defined as “the objective analysis and evaluation of an issue in order to form a judgment.” The Foundation for Critical Thinking offers a more specific definition: “Critical thinking is the intellectually disciplined process of actively and skillfully conceptualizing, applying, analyzing, synthesizing, and/or evaluating information gathered from, or generated by, observation, experience, reflection, reasoning, or communication, as a guide to belief and action. In its exemplary form, it is based on universal intellectual values that transcend subject matter divisions: clarity, accuracy, precision, consistency, relevance, sound evidence, good reasons, depth, breadth, and fairness.”
Whoa. What a mouthful.
You may ask yourself how someone can think critically when they don’t have the right information to think about. Luckily for everyone, the one thing we have in great abundance today is information. We have loads of information; we’re just missing the piece where we turn that information into knowledge (and, in turn, knowledge into wisdom).
Of course, there are tools for that. But we don’t necessarily need tools to think critically about the data. What we need is simply to ask the right questions.
Indeed, this is the basis for data science! Data science provides the means to make precise, reliable, and quantitative arguments about any set of observations. Those means often come in the form of statistical queries, which you can almost certainly do today with the tools you already have in place. But often, those kinds of queries don’t even require tools; they require imagination and resolve.
What kinds of questions are you asking your data?
Let’s assume you’re the CIO or CISO of a hospital. What kinds of data do you have? Certainly you should have network and host data, user access logs, email header data, and, perhaps, logs from boundary devices (e.g., firewalls). You have data related to your mission, vision, and values, your strategic plan, your internal policies, your budget, and your work culture.
Questions you can, and should, be asking are:
What are my users doing?
What risk(s) does that present?
What other internal risks am I accepting?
What are the external risks to my organization (threats x exposures/vulnerabilities)?
What mitigations/controls/countermeasures am I currently employing?
Am I meeting the requirements (i.e., legal/regulatory, internal, accepted best practice, etc.) of my organization? And how?
Am I collecting the right data to answer tough questions if and when I need to respond to an incident?
Is anyone reviewing the data we’re currently collecting?
Nearly every decision you make as a leader in your organization can and should be done in the context of the organization’s mission, vision, values, and strategic plan. When you keep these in your pocket at all times, it’s easy to see through the nonsense.
When a vendor tries to sell you something fancy, whiz-bang cure-all in a box, immediately ask yourself the following:
Who benefits from this interaction?
Who can provide a second opinion (particularly an impartial or even opposing one)?3
What is the alternative (especially a non-tool-specific alternative) to this solution?
What problem does this solution solve and is it truly a problem for me?
Where else has this product been deployed (and is that comparable to my organization)?
When would it be most beneficial/practical to deploy a solution such as this?
When might it be problematic?
Why is this relevant to me?
Why would I need this today?
How is this different than what I currently have in place?
How does this make my organization better?
How is this disruptive (if at all)?
Always be mindful of anyone trying to tell you their solution is the solution. No solution is the solution. Like the old adage says, “If it sounds to good to be true, it is.”
And if you feel like you’re in over your head, give us a call. We don’t sell any products and we certainly are not in the process of selling snake oil. We do provide consulting services, but the critical thinking is free of charge.
“No problem can withstand the assault of sustained thinking.” ― Voltaire
1 - You can see their amazing videos and read about their “company,” named for their founder Francis Archibald Keyes, Esquire, at https://www.fakesecurity.com/
2 - And, believe me, they did rattle some feathers. It turns out that fearmongering, overpromising, and under-delivering vendors do not like being called out for their misleading representations of their own products and capabilities, even when it’s in jest.
3 - Abraham Lincoln chose his Cabinet members specifically from those who opposed him politically because he separated his personal convictions from what he knew was necessary for the country at the time. He compared his selectees strengths and weaknesses against his own, and chose four individuals who would challenge each other while at the same time complement each other’s capabilities. This is not only a great representation of critical thinking applied practically, but it also says incredible things about President Lincoln’s emotional intelligence and psychological fortitude.