By
Gigabit Systems
October 15, 2018
•
20 min read
A company’s cyber-security strategy should tailor to the unique needs and characteristics of your business. When considering whether or not a strategy needs improvement, organizations will often ask one another about their security budget. This evaluation involves asking questions about whether or not the budget is similar to budgets of the same size, or how to calculate the return on investment (ROI) for security spending. On the contrary, corporate leadership should focus on network defender first principles instead of ROI as a means of evaluating a cyber-security’s efficacy.
What Are Network Defender First Principles?
The first principles approach stems from Greek philosophy. Aristotle believed that first principles, atomic in their nature, couldn’t be broken down any further. As building blocks, first principles drive every decision that one makes. Keeping this in mind, ask yourself the following question. Is your organization, above any other priority, driven by what other organizations are doing? Most likely, the answer to the question is no. Comparing one organization to another and/or calculating ROI are rarely a motivation factor behind business decisions, but rather an afterthought.
In this example, let’s evaluate material impact as a security first principle. A single cyber hack can inflict hundreds upon thousands of dangerous consequences on an organization. If you decide to follow the lead of other organizations and determine an ROI in the process, you are inadvertently focusing on how to make a profit on diffusing a hack. This approach is inadequate, and should instead be sculpted around how dismantling a hack preserves your business’s most essential functions.
How Should Leadership Determine its High-Probability Cyber Risks?
Instead of focusing on your cyber infrastructure’s ROI, your IT department should focus on identifying high-probability cyber-threats. These threats should, in theory, have significant material impact in a one to three year period. Leadership should hone in on which threats are the most probable in the short-term. This approach allows your IT department to think most realistically about what could pose a risk. Once these threats are identified, an organization will be better equipped to mitigate the risk of a successful attack sequence.
Seeking input from the senior level helps clarify which threats are more significant than others by putting these threats in the context of the organization’s greater functions and purposes. It is important to note that no threat can be thoroughly realized nor understood without proper metrics. According to Phillip Tetlock’s book “Superforecasting: The Art and Science of Prediction,” risk managers cannot be held accountable for their estimates if metrics did not play a deciding factor. This, in essence, explains why board members should adopt a quantified approach towards risk evaluation.
A quantified approach involves determining if a risk is detectable/observable. Douglas Hubbard, who expanded on Paul Meehl’s concept around clarification chains, affirms that a detectable risk should be detected as either an amount or a range of possible amounts. Any risk found to be a range of possible amounts could also be measured. Board members must therefore ensure that identified risks can be quantified and subsequently measured in its potential threat to the organization.
Current and Future Priorities
Your cyber-security priorities should echo the first defender principles of your organization. At the foundation of every decision your business makes, what are the bedrock factors? If this is not echoed in your cyber-security defense, changes are in order. A return of investment approach to security infrastructure fails to account for top organizational priorities, such as keeping a business’s unique functions, goods, and services productive at all times. In summary, the more that a board collaborates with their own IT department to identify plausible, metric-backed risks within a specific time frame, the more likely a board is to promote a robust cyber infrastructure.
Learn more about the latest in cyber security by subscribing to our blog;