How Much Security is Enough? Projecting Your Inner Coder
Why this topic? As many of you know, I am the co-chair of the Mass Technology Leadership Council CISO group here in Boston, and when we were working on 2020 programming, we solicited our partner CTO group for topics that they would like to hear about from our CISOs as part of a joint event.
I was mildly stunned by amount of feedback that pointed to this topic. To paraphrase:
“That CISO comes to me every day with more work for my team. How do I know if we’re already doing enough or if we need to do more? When does it stop?”
Sensing both their desire as well as their frustration, we decided to host a panel discussion on this topic, and we had the best attendance at an event in quite some time. Obviously, this topic struck a nerve.
With that said, let me provide my perspective:
Many of my CISO peers talk about controls, vulnerabilities, threats, and risks. While all are certainly worthy of discussion, their CTO counterparts, frankly, don’t care. They want a simple answer to a simple question. CISOs (me included) have said the answer is not that simple, as there are a ton of variables at play, and then we launch in to explaining them. Unfortunately, in many cases, our partners start hearing the teacher from the Peanuts cartoons.
Security needs a better talk track. Let me make an attempt to simplify it for our partners (and give a soundbite for my fellow CISOs):
“The #1 risk to our business is not being in business. Enough security ensures that we stay in business.”
That seems a bit unsatisfying when you first look at it, but here is a second attempt – providing a bit more detail (and projecting my inner coder).
Enough Security Function
If ([customer expected security] – [your security]) > 0 then
— You have work to do
Loop minimum ([Rate of Change Acceptance] or [Cash to execute])
— You might be spending too much on security
If [can convince customers more security is worth money] = TRUE then
— you are good
— Reduce your spend
Decrease [your security] = [customer expected security]
Seems better, but probably needs a bit more explanation. As we dig into the pseudo-code, we can see three major themes: Customers, Change, and Cash. Let’s break these down:
What is the business goal when it comes to customers? Simple: keep the customer buying from the company. If they stop buying from you, there is no money coming in, and eventually the #1 risk occurs, and the company is out of business. Period.
So, let’s unpack the function. What is customer expected security? Here is what I learned in my years as a product manager (before my security career). Customers don’t generally buy security (caveat: unless you are a security product). They just kind of expect it to be there. Like the other ‘ility’ items (usability, scalability, etc.), security is very rarely a positive product differentiator. This means that people are unlikely to buy more of your product simply because it has more security. They really want more features and twirly UIs.
On the flip side, though, security can be a negative product differentiator if your product is not ‘keeping up with the Joneses’. Customers want to trust that you are protecting their interests – and one of the low friction ways to do that is to compare your product to your competitors. Do both products ask for a password? Has one been breached? , etc. I know it is not scientific, but it does seem to be the norm.
Digging further in we hit – ([customer expected security] – [your security]) – This makes two big assumptions:
One: You have an understanding of what your customer’s security expectations are. Product Managers would call this ‘competitive analysis’. I would suggest to all of my CISO peers that this is a function you need to consider adding to your portfolio (and a great opportunity to partner with product management). This can be a great enabler – nothing works better with PMs and Sales folks then articulating how they are disadvantaged because we are ‘not keeping up’.
Two: You have a sense of where your security is at. Let’s face it CISOs, if you don’t know this, you might not belong in the gig. You have a fiduciary duty to the company to understand and manage this.
Ultimately, you end up with one of two outcomes: You either need to spend more, or potentially spend less.