It’s actually been fun watching the political theater of the last several months down in the States. Did Russia interfere in the US elections or didn’t they? Is Trump corrupt or just ignorant? Will Populism work for the US and different parts of the world or is this just a temporary sideline before something else comes along? You could say that this is the new soap opera – “As the World burns”. Lol.
But there was something that came up today that I thought is a very good lesson for implementing Security today. It was the response from Russia with regards to an AP story saying that Russia planted Fake News stories that lead to the separation of the Arab world from Qatar. The Russian response? “The world has gone crazy,” said Vladimir Dzhabarov, deputy Chairman of the Russian Foreign Affairs Committee.”What ever happens, there is a Russian trace there, the trace of Russian hackers”.
The lesson to be learned here is that it’s important to not be caught up in the emotion of the moment when you are running your security practice. It’s too easy to read a news report and automatically want to do a knee jerk reaction and implement something. Hell, most plans that I see from CISOs are based on news reports and because of unfounded fears rather than properly thinking out a strategy that will focus on the needs of the business over the years to come.
Strategy is about understanding the direction of the business and planning ahead on how to support it. Security, by it’s nature, is meant to include a Risk Analysis and then create plans around those risks. But don’t make the threats something that you read in the news. Actually do some research. What are the REAL risks that you face? If you are a Retail Enterprise, do you REALLY have to worry about Nation State actors? Probably not. If you are involved in manufacturing, do you really have to worry about script kiddies taking over your CNC machines? Again, probably not.
Risk, and the strategies that plan to deal with risk, is about understanding a combination of Threats and Impacts. If something happens, what’s the impact? If you have a virus outbreak in your workstations, what’s the impact? Inconvenient, sure, but wouldn’t it be far worse if that happened in your Servers? If someone’s laptop is stolen, is that bad? Probably not but then you find out about the file with a million users that was kept on that laptop. Balance the threat with the impact.
The reason why CIOs were, for so long, not really kept at the Adults table of the Executive suite was because they didn’t take a business approach to their decisions and focused only on the technology rather than on how the technology supported the business. The same is clearly happening with CISOs. They are solely focused on security rather than how security can support the business. If you aren’t in an industry that is business related (eg. Government or Non-Profit), is the CISO supporting the core focus of that organization? THAT is the question.
Responding to things you read or hear about through emotion will result in spending money on things inappropriately. Or, and this is just as important, not spending money on things that may be more important. Take a strategic view to security and supporting your organization and you will stand a lot better chance to being successful. Don’t let the emotional aspects of the times sway you from where you need to go.
Think strategically, not emotionally, and your security posture will be just fine. Think like an Architect.
Hope this helps …