All too often, we shoot ourselves in the foot as information security professionals by the language we use with executives.Certainly, the military intelligence backbone that resonates through much of our profession has given us a language that is rich with military and aggressive overtones. We use terms like attack and penetration, compromise, DMZ and perimeter defense. We buy intrusion detection systems and firewalls, build incident response teams and harden servers from attack.
In our rush to adopt the colorful title of 'cyberwarrior,' we risk alienating the clients we serve in our organizations, particularly the most valuable resources we can have in our corner - senior management. The last thing a chief operating officer wants to hear while running his or her business is how the company has been penetrated through an exploit from a web-based attack. And COOs have with good reason, since it delivers two pieces of bad news - a loss has occurred, and the cybergeek is back in their office speaking incomprehensible jargon, making a cyberthief sound like James Bond.
Certainly, there are many fine information assurance professionals who actually practice information warfare, but they are limited to the Department of Defense. They are the true cyberwarriors, trained to leverage the weaknesses and vulnerabilities of the enemy's systems to mount an attack. Most of us don't have that kind of role, and instead are faced with the issues of protecting the information assets of our employers. But, you'd never know it from some of the military aggression language we toss around.
Securing assets, not fighting wars
What resonates far better in the C-suite are discussions of asset management instead of military conquest. After all, we are in the business of managing information asset risk, and this is what we need to sell. Information asset risk management and loss prevention may not have the sexy sizzle of cyberattacks and information warfare, but it's palatable to the audience, and that's a vital difference.
To an asset manager, nefarious interlopers who compromise a host are not hackers, but vandals. If they purloin credit card numbers or customer information, they are thieves, or become extortionists if they demand payment to keep quiet. It's far easier for an asset manager to think in terms of a broken lock on a system than an "unpatched vulnerability prone to exploit."
By using language already commonly adopted by the rest of society, we lose the 'cool factor' of talking about cyberterrorists, but fundamentally change the level on which we communicate with sponsors and clients. Our organizations understand how to handle thieves, vandals, impersonators, con artists and scams.
Consider how different your next discussion of information risk management with the senior executives in your organization will be if you can press all the right buttons their business administration degrees have given them. By framing discussions in the context of loss prevention and ROI, you are talking about measurable, attainable goals. Even better, there is a common context in many organizations for acceptable losses in cost and revenue centers, so there is precedent to create goals for acceptable information security losses.
In my own experience with financial institutions, credit, collection and recovery departments typically target one- to three-percent losses for bad debt. If the assets you are protecting can be discussed in similar terms, then the executive can reach a clear balance-sheet decision that expresses the amount of risk they are willing to absorb.
Charting out new territory
As information security professionals, staking a claim to ROI and acceptable losses is new territory for most of us. Some of this is undoubtedly because winning your spurs to become an infosec professional typically breeds out optimism. Further, it is too easy for us to paint a worst-case scenario when we think about catastrophic security failures.
We are so used to creating nightmare situations to shake loose corporate budgeting; this may be a difficult territory for us to abandon, since it's risky to abandon the FUD factor (fear, uncertainty and doubt). However, worst-case scenarios rarely happen and don't belong in asset management forecasting as a basis for predicting losses in most organizations (national defense departments, NASA and nuclear-power engineering need not apply). By demonstrating managerial courage, and coming up with a stated monetary amount of risk, it's far easier to talk about information security systems in the context of asset management and ROI, even though it will clearly put you outside the comfortable FUD zone of dire predictions. Since most of us necessarily have to state the cost of security controls we recommend, most of the information necessary to provide estimated losses is at hand, with the exception of 'likelihood,' which is obviously a very difficult number.
Certainly, breaking this down in a financial balance sheet seems rather alien since we are discussing the forecasts of highly complex systems with intense interoperability and without actuarial data as our guide. I'm not delusional enough to believe that we can legitimately quantify risk. However, we can qualify the risk that systems entail and also start to measure the losses that are experienced over time with these qualified systems.
Persuasion, not FUD
If you line up 1,000 systems in your organization and rank them by security posture, you will likely wind up with the same type of rank in information asset losses (over long periods of time). With the application of root-cause analysis, losses can then be attributed to security component failures, which would permit the correlation of losses to the qualified security postures of those systems and their controls. At this point, you can start developing a clear picture of actual losses.
Try to imagine the power of a persuasive argument for the introduction of a security control, given the common asset risk management tool and loss prevention language you share with your CFO and COO. Instead of being viewed as a cyberwarrior with delusions of grandeur in battling hackers and cyberpunks, you will be able to reasonably discuss loss prevention and ROI expectations for security and assurance controls. This is likely the most powerful professional tool you can wield in the executive boardroom, and the first step is adjusting our language to fit the asset management context.
Dan Houser is a CISSP and a senior security engineer for a large U.S.-based insurance company.