/ Information Risk

Smart CISOs know when not to pay attention to the "wisdom of the crowds"

If Apple followed the 'wisdom of the crowds' in 2006-2007 they'd never made an iPhone. If smart CISOs paid too much attention to the article in the Information Risk Leadership Council's latest article they'd be in as much trouble as they purportedly are right now. There is a lot wrong with CISOs that put all their hope and budget in prevention, but the word itself is definitely not the problem. Nor is the solution that CEB IRLC (Executive Board's Information Risk Leadership Council) advocated - although they just followed the lead by NIST.

The article starts with the following fictitious scenario:

Board Member: "But you said we successfully deployed prevention measures against this sort of thing."

CISO: "Well, you see, it’s more like a speed bump than road spikes."

Board Member: "Then why do we call it prevention?"

CISO: "Because we always have."

Wonderful, isn’t it? Our supposed member of the executive (otherwise it can’t possibly be a C-level and the C in CISO is just a white lie) should’ve been fired if he sold prevention controls as 100% effective. Another obvious question that would be immediately raised is also why would there be any other types of control if prevention was successful. And let’s not forget the obviously ham-fisted defence that no C-level (even jokingly C-level, like, you know, CISO) would have made. Anyone that has done more than cursory security work will know that prevention is a road spike - and that some threats use bald tyres, others have run flat tyres fitted and some roll in tanks.
But the main thrust of the IRLC’s article is not the futility of preventative controls. It is about the word prevention. And once the war on word prevention is declared, a bunch of other words of equally final meaning are bandied about.

"Protect" was also the word chosen by NIST last summer when they changed their cybersecurity framework’s core function areas from "know>prevent>detect>respond>recover" to "identify>protect>detect>respond>recover".

Now I’m not a native English speaker, so I at times consult the dictionary just to make sure the word I’m using is the word I want to use. And checking the Collins dictionary shows this:

prevent (verb)

  1. (transitive) to keep from happening, esp by taking precautionary action
  2. (transitive) often foll[owed] by from to keep (someone from doing something); hinder; impede
  3. (intransitive) to interpose or act as a hindrance
  4. (transitive) (archaic) to anticipate or precede

So to prevent is to hinder something from happening, taking a precautionary action. Definitions 2 and 3 show that “prevention” is a fallible undertaking. Now let’s see the NIST preferred word:

protect (verb)
(transitive)
to defend from trouble, harm, attack, etc
(economics) to assist (domestic industries) by the imposition of protective tariffs on imports
(business) to provide funds in advance to guarantee payment of (a note, draft, etc)

Only one definition is useful for information security purposes, and this one has a bit more definitive meaning. It defends from trouble. It does not show to have the option of sometimes failing or of only temporarily blocking the event (hinder in prevent).
So obviously the choice of the word went from bad to worse. But that’s not all that is questionable in the article, especially for an article on Information Risk Leadership Council’s page that is aiming to improve communication. Take the following sentence:

Yes, end-user awareness prevents some people [2] from doing dumb things, but the aggregate effect on the organization is only a reduction in risk exposure, not a nullification of the risk.

A good risk manager will tell you that nullification of a risk is at best a fool’s errand. The only way to nullify a risk by an active threat is to avoid any and all risky situations, which is impossible when you are also meant to run a business. I must be missing something, because allowing the idea that risk nullification is possible strikes me as at best naive, at worst misleading.
The idea behind the article is solid. CISOs need to improve the communications with the rest of the organisation in order to improve information security posture. However, the details of the recommendations on how to improve communication is counterproductive.
The article blindly follows NIST CyberSecurity Framework (sic), which in itself wouldn’t be a bad idea if the NISTCSF was a great framework, which it isn’t. The article recommends that smart CISOs:

Use a Threat Based Controls Framework

While some threat-based approaches like the kill chain may be too technical for business leaders, aligning controls capabilities to "Identify, Protect, Detect, Respond, and Recover" makes intuitive sense.

Except that just saying something “makes intuitive sense” doesn’t really make sense. I’ve been in the industry for a long time and the idea of aligning controls capabilities to five areas with significant overlap makes less sense to me than just the simple “prevent, detect, respond”. For example, when does identify end and detect begins? Can you identify a phenomena without detecting it first? Where does respond end and recover begins?

Formalize Risk Appetites Across Different Functions

The goal is to help evaluate the risk appetite/tolerance of different business partners in order to understand how they will likely prioritize proposed information risk initiatives.

Except that it is also established that people’s attitude to risk changes depending on their perception, the environment, the circumstances, etc. Risk appetite is internal and subconscious; in other words, impossible for a person to express in words.

Some of the recommendations are common sense and it is surprising that they need to be called out for members of C-suite (CISO, remember, should be a member of the C-suite, otherwise we’re just talking about a glorified information security manager).

Develop Greater Business Engagement Skills

Uncover the benefits that matter to stakeholders and incorporate them into your controls recommendations. Then, articulate risks in terms of business context and stakeholder posture.

And the last recommendation that on the surface makes sense but the details actually make more damage than good:

Understand the Limitations of Different Forms of Communication

Good liaisons [13] prefer to communicate face-to-face when possible, resorting to a phone discussion as a worst case.

This advice makes it seems as if everyone else always has the time for face to face discussions, phone calls at worst. Truth is that majority of the communications happen in a written form, short and concise. If CISOs really want to improve communications and maximise their communications effects they need to learn how to communicate well in all forms not just verbal.