Making the case for cybersecurity
Cybersecurity as a measure of organizational diligence and quality
“We as a community are very good at identifying problems, but we’re very poor at making the case for solving them. Our institutions look to us as the professionals in this space for solutions, and working as a community on communicating to the broader audience of university leadership, congress, and the general public on the role of cybersecurity in research should be a priority10. I think there’s a lot to learn from all the recent ‘defense of science’ statements coming out of thought leaders and national organizations in the last couple of months.”
https://michaelcorn.substack.com/p/are-we-really-that-special
So how do we make the case for an investment in cybersecurity? I think many of us find this challenging if for no other reason than it appears too plainly obvious: cybersecurity is more important than ever. Personally, I always return to the hack of a bunch of democratic email accounts right before the 2016 election1, the results of which contributed to swinging of the election. And we’re now seeing how that’s gone.
Others will point to the endless security porn that fills the news, or CEOs who have lost their jobs due to hacks2. But largely, individuals have become desensitized to this information. Which means that outside of those particularly invested in the consequences of poor cybersecurity, your leadership is probably tuning out your references to these sorts of events - with one exception, that is, when they happen close to home. When I saw a local large healthcare system crippled by ransomware (to the point that they redirected emergency staff to our ERs and clinics) boy, suddenly our leadership cared a great deal about ransomware. When a large influential research lab on a sister campus was hit, suddenly I was meeting with the chancellor being asked “could this happen here?”
But it’s troubling to think that our only vehicle for getting the attention of our organizational leadership is a disaster, or at least, a nearby disaster. Compounding this challenge is the cadence of attack information. I always, and I believe this is common, insulated my leadership from the perpetual flood of minor attacks and probes we continuously experienced. It’s merely the background noise of being on the internet. Sure, once in a while you’d pull out stats from your IPS or systems (“100,000 attacks per hour”) for effect, but generally it’s only the major, successful events your leadership hears about. A cyber catastrophe becomes more like an earthquake or tsunami, they happen, and you update your building codes, but how much time can your leadership realistically spend worrying about them?
If you spend some time reading the standard advice on why investing in cybersecurity is important (this is all targeted at businesses), it seems to fall into a few categories: risk reduction, regulatory compliance, strategic business outcomes. I would imagine these are also loosely coupled to one another. While risk reduction may imply ‘reducing the risk of being hacked’, it can also mean ‘reducing the risk of regulatory fines’. Maintaining effective compliance certifications (for example, GDPR or a SOC 2) helps give confidence to customers and business partners. It’s tempting to ask where ‘demonstrating respect for our customers’ data sits. That’s typically rolled into strategic business outcomes since there’s little evidence customer behavior is influenced by cybersecurity outcomes. Stated concerns for privacy and to some degree security are generally marketing fodder rather than any sincere organizational commitment3.
I think part of what I liked about working at NSF is that it was both easy and appropriate to argue for cybersecurity as part of the national mission of exceptionalism, that is national security and technological sovereignty. While it is probably important to include these dimensions when presenting on cybersecurity within any public or private organization, it’s a much harder sell and rarely resonates with your leadership. “Think globally and act locally” is a fine bumper sticker, but challenging when trying to balance a thousand competing demands in your own backyard.
This is not to say you should ignore the three categories of risk reduction, compliance, and business strategy in your discussions about investing in cybersecurity. Working up a good pitch deck on all three to have in the ready is wise, and worth maintaining. But I suspect everyone in cyber leadership roles is used to making those points. I’ll spend the rest of this post talking instead on three aspects of how to make the case.
Firstly, consider what your organizational trigger points are. I recall once being asked to speak to the university president's cabinet (I truly can’t remember the topic that got me there), and noticed everyone was simply staring at their phones. So I opened with “Let’s talk about NCAA compliance.” This was at a large midwestern school with an equally large focus on athletics. Every phone was immediately put down and I had everyone’s attention. As I’ve talked about before, organizations are idiosyncratic and shaped by the individuals and personalities that make up their leadership. Do your research. Is a meeting being run by a physical chemist? Bring up the one physical chemist you know. This not only gets the room’s attention but establishes you as a person, not a faceless bureaucrat lost among so many others.
Secondly, think through the incentives that motivate your leadership. I was once told by a senior administrator that securing social security numbers was one of the top three concerns of a campus chancellor. When I asked why I was told “he doesn’t want to end up in the Chicago papers.” We spent a lot of time talking about SSNs and the negative publicity of breaches over the next year. Which of course bled into more general discussions of data security (which leads to system and network security). In this case the incentive was a negative one and was a trigger point for a single individual. But it was quite a gift.
Finally, the most valuable and the most difficult aspect to argue is how cybersecurity underscores and acts as a proxy for quality. I’m going to state this as a law: there is a one-to-one relationship between the robustness of a product and its general quality. This isn’t to say a robust, highly secure application means its functionality is excellent or its UX is brilliant. But the reverse is true. An organization that fails to build cybersecurity into a service, process, or application has likely failed to apply that same level of thoughtfulness more broadly. Cybersecurity is itself, in every dimension, a process, not a solution. Immaturity of a development process, regardless of what is being developed, has a long tail eroding the quality of a product and creates a kind of deferred maintenance that is exceptionally expensive to address.
As a last word of advice. I was reading (god knows why) some advice someone had on parenting her daughter, yet it struck me as very relevant to the situation of making a case for cybersecurity. To liberally paraphrase, the emotions, beliefs, and outcomes an individual perceives are their 100% authentic lived experience, even when it defies logic. If your attempt to help them ignores this truth and moves straight to rational argument, you are unintentionally dismissing their feelings and that approach will inevitably fail.
The people you are making your case to will have their own beliefs and internal logic about cybersecurity that will be a combination of overtly and opaquely expressed. Our jobs include giving our leadership the best plain and reasoned advice we can, based on experience, industry experience, and hard data. But making your case is rarely one of ‘my logic will win over your resistance’. I really like the metaphor of the CISO as organizational coach. Just as an athletic coach can’t simply say “run faster” and call it a day, neither can we simply say “spend more money”. Even if both represent the best way to achieve our goals. Coaching requires playing the long game, a series of small paddles that eventually push the boat across the ocean.
https://en.wikipedia.org/wiki/2016_Democratic_National_Committee_email_leak. MSM reporting on tactics: https://www.cnbc.com/2018/07/16/how-russians-broke-into-democrats-email-mueller.html, https://www.theguardian.com/us-news/2016/dec/14/dnc-hillary-clinton-emails-hacked-russia-aide-typo-investigation-finds.
I don’t think this is cynical as much as it is driven by the evidence. Whether this changes as companies continue to shift from product driven to meme-driven leadership remains to be seen.
You’re a really good writer! Always enjoy reading your posts, even when they are about something that I otherwise would not necessarily read about.
Great stuff!