Today we live in a complex world of hardware, software, and firmware. Much like the comfortable pair of jeans from college you just can’t bear to throw out, legacy equipment and ideas hang around past their “effectiveness date” because change is hard and technology moves at such a blistering pace that updating every time something “better” comes along would be impossible. But with technology advancement comes vulnerabilities. And as hard as white hats are working to protect data, networks, applications, and such, cyber criminals are working equally hard to inflict damage. Once an attacker finds a way onto your network, they can exfiltrate data, install malicious code, and create additional vulnerabilities that can be used to exploit systems at the desired time. With all this in mind, it’s easy to see why security pros view these scenarios as “game over,” why it’s so easy to fall into a mindset of “all or nothing.”
Network protection with realistic expectations
When experiencing a moment of “I must protect All The Things!!!” it’s helpful to think about how other fields approach win-loss scenarios. For instance, in the world of retail, “shrinkage” is a term used to describe how much inventory loss due to theft or errors can be expected and absorbed by the business. No successful retail organization would ever estimate 0% shrinkage because that’s unrealistic. According to the National Retail Federation, U.S. retail organizations experience an average of 1.33% shrinkage (as a percentage of total sales) every year. For retail organizations generating billions of dollars of revenue, those numbers really start to add up, but there is always some level of expected and acceptable loss.
Looking at non-cyber crime statistics, local, state, and federal law enforcement track year-on-year crime rates to gauge progress. As with retail shrinkage, achieving a 0% crime rate in any given town, city, or state is unrealistic, so rather than aiming for perfect, agencies set goals to decrease crime in their jurisdictions over time. If during a specified time period the crime rate increases, the FBI or police reevaluate, reset, and improve in areas they can control such as better evidence gathering and interview techniques.
Taking a page out of these playbooks, security teams should embrace the idea that protecting data, networks, systems, etc. is an ever-evolving process instead of a point-in-time, black or white situation. As such, the concept of “absolute” becomes obsolete. Rather than, “How do I secure the entirety of my organization’s digital data and technology,” the security strategy can become, “What is the most sensitive data my company collects? Where is it stored and how is it used? What protections are already in place? Are they adequate? Are there methods to place better controls around access to data without overhauling the whole infrastructure?”
Asking these kind of questions—looking at security in small, prioritized chunks—is a lot more manageable than, “Secure everything to 100%.” Beyond breaking down security into workable pieces, the most important aspect of improvement is acceptance that there are no absolutes. Perfect security is not viable and should therefore not be a goal. Though there will be high-profile data breaches for which the CISO (and perhaps some direct reports) will be held solely accountable, in most cases, security teams will survive security incidents provided they can demonstrate due diligence. This requires the security team to understand and properly convey realistic information about the cybersecurity program to business stakeholders. If security sets an expectation that 100% of data breaches can be prevented (because that’s the dream), any incident will be considered a strike against the program. If, however, we accept the actuality that systems can’t be both 100% secure and functional, security can be measured in shades of probability, where no one incident becomes an automatic “fail.”