It is frustrating when “Security” is always an afterthought in the C-suite. “Why is the C-Suite always de-prioritizing security?” Even with all the cyber-criminal threats, people find that the C-suite is constantly putting the cost to mitigate that threat on the backburner. It is simple, an effective crisis response plan is cheaper, more effective, and produces results. In a slide from a 2016 keynote (below), I illustrated how four companies responded to major data breaches. They did not throw massive money to mitigate the security risk. They focused their efforts on crisis management. As a result, all the companies revenues, customer impact, and shareholder interest recovered.
Selected events over 30,000 records
Why would the core leadership of the company want to increase their “cost” through security spending when security crises of data breaches, ransomware, DDoS attacks, and other “cyber-crime monetization” can be mitigated through cheaper public relations teams?
Yo! Security people, let us be honest, we are not going to get the budget or support needed to effectively push back on the risk. If we do our job correctly, miscreants are pushed back and in two years C-Suite ask “why are we spending all the money on security when we’ve seen not threats.” Then when the security is defunded and the attacks happen, C-suite shouts “why didn’t you do anything.” C-suite is never accountable (remember, good PR).
What do we do to protect our shareholders and customer interest? Re-think security as Resiliency. Business Continuity and Resiliency are always a C-Suite forethought, not an afterthought.
Security as a Force of Nature is Never an Afterthought
The #1 item C-suite cares about is the business engine. Everyone wakes up when the gears of the business stop. Business Resiliency is critical to predict and prevent unexpected events impacting customer satisfaction. If C-suite puts the priority on business continuity and resiliency, then align security with their resiliency priorities. Treat security threats in the same line as natural disasters and prepare for “when” not “if.”
Think Business and Operational Resiliency, not Security
“Security” is part of a larger resiliency architecture that keeps your business up and running. If you cover all the elements of resiliency (how the systems respond to failure, overload, natural disaster, and external stresses that impact the business), then you will cover security as part of the “resiliency playbook.” “Security” is always an afterthought in the C-suite, just like preparation for natural disasters. Remember, publicly traded companies with good PR/marketing will ride through a security crisis and recover financially.
Smart “security architects” rephrase their titles to be “resiliency & security architects.” Think of yourself as a Resiliency Architect. Your job as a Resiliency Architect is to plan for all situations where systems fail. Start with a “resiliency playbook” that covers all the risk, including all the security risk.” What you find is that elements you need to architect for resiliency cover elements for security risk.
Let us explore an example. I have an API service for my business. I size the system for N+3 capacity in two data centers (+1 for system failure, +2 for software upgrades, +3 for surge load during datacenter failure). During a resiliency exercise, the team finds out that if data center A fails, the surge load shift from two datacenters (A + B) to just one data center (B) would overwhelm capacity and cause unacceptable customer impact. Capacity was expanded to be N+6.
In parallel, the maxim stage capacity over the Internet links into the data center to the API service was found to be N+4. That means a state load DDoS attack could be handled if the API service was at N+5 capacity. Ironically, if the team tried to justify expanding capacity to ride out a DDoS attack impact C-suite would say NO. But, they would be OK if N+6 expansion increases customer satisfaction.
The C-suite does not want its business to go down from outages. Gluing security into Resiliency Architectures will have a “security” budget with the overall resiliency architecture.
This is not a new concept. Years ago at a NANOG session, a good friend Joe Szymusiak remembers me “strongly expressing my engineering opinions” about the myth of “5 9s.” He remembered and took notes when I said something like “If you’re expecting to get 5 9’s uptime you’ll require 6 P’s (Proper Pre Planning Prevents Poor Performance). In today’s world, this would be Resiliency Architecture combined with new concepts like Chaos Engineering.
Joe like many colleagues builds our systems with primary, secondary, & possibly tertiary resilience and redundancy plans. IF, THEN, ELSE is the essence of coding, but also the essence of resilience architecture AND the fundamentals of security architecture.
Look for more blogs on these topics and principles. I recently did a session @ AJCCBC.org, on Executive Cyber Leadership – It is Not Hard! The bottom line for C-suite is that security should not be an afterthought. Change the thinking. Don’t ask for security, ask for business resiliency where “security risks” is part of the business’ resiliency playbook.
And of course have an excellent PR team because cyber-security issues are forces of nature and it is a matter of “when” you get hit, not “if” you get hit.
Need Security Advice?
If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at bgreene@senki.org. Help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit. It is no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights. You can sign up to the mailing list for updates here: Stay Connected with Senki’s Updates.