Cyber security is a seatbelt

One of the things which still annoys me after 20+ years in IT is when I hear an organisation wanted to do something, but the outcome was “security says no“. This behaviour causes business and IT leaders to disengage from cyber security, so if you find yourself working in such a scenario, how do you rebuild that trust and engagement?

The ‘security is an enabler to the business’ line has been around for some years now, but it has the ring of management speak about it, and in the absence of any further narrative to support it, it convinces no-one. How does security enable the business, how do you measure that? Where are the demonstrable positive impacts it has had? Thinking about how I’d answer those questions gave me a suitable metaphor, that of cyber security as a seatbelt.

Clunk Click on every trip

Seatbelts have been around since the 1950’s and legislation to require the installation and use of seatbelts is now commonplace. The innovation and subsequent legislation was a reaction to preventable injury and death as a result of collision or a sudden stop. The parallels are clear; cyber security innovation and legislation is a reaction to preventable confidentiality, integrity and available security incidents.

Seatbelts don’t enable driving, they enable driving safely

You can (if you choose to do so) drive most cars without a seatbelt. It’s your choice. However, if you to choose to do so you are accepting the risk of prosecution, injury or death which most people would find unpalatable, compared to the very low cost of just putting the seatbelt on. In effect, seatbelts don’t enable driving, they enable driving safely.

In the same way, an organisation could chose not to implement security controls to protect the data they hold, but they would risk prosecution, and potentially significant financial loss or reputational damage. Applying effective security controls doesn’t enable the organisation to conduct their business, it enables the organisation to conduct their business safely.

Simplicity vs complexity

Seatbelts have been so effective because;

  1. They are pre-installed,
  2. They are very easy to use, and
  3. There is a clear public message about their importance and the consequences of not using them.

In information technology we haven’t quite caught up;

  1. Security controls don’t always come pre-installed,
  2. They typically require configuration by trained and competent operators (they’re not exactly ‘clunk click’), and
  3. The message is complicated and therefore less effective.

Change the conversation

To start to rebuild confidence in cyber security in your organisation you have to change the conversation from;
Organisation: “We want to do {change}”
Security: “No, you can’t do that because {flawed assumption|misinterpreted compliance|lack of technical insight}

to something more like;
Organisation: “We want to do {change} to achieve {business objective}
Security: “We’ll work with the delivery teams find some options which balance the risks against the benefits”.

Note that both sides of this conversation have to change. Decisions made at the wrong level of the organisation (e.g. the CEO selecting technical solutions without consulting internal subject matter experts) is not the way to make good security decisions; define what you want to achieve, and work with the technical staff to find a solution which achieves that. The job of a security team is then to respond to that clear ask from the organisation with a set of options which deliver the objective, with the consequent risks of each option.

Make it easy to get it right

Remembering that cybersecurity is only one of the business risks your senior leadership team needs to consider, be more like the seatbelt;

  • Make your messaging as clear as possible; avoid ambiguity, technical jargon and low level detail.
  • Develop simple and consistent architecture and implementations, reduce the cost of human error and the cost of automation. Security should be pre-installed.
  • Make your processes as lean as possible, give people autonomy to make informed decisions, and have an effective feedback loop from near misses or breaches to improve those decisions.
  • If a change will increase information security risk don’t try and stop the business doing it, flag the consequences and ensure the right person makes the decision to go or not.
  • Celebrate the success of simple and effective security, get user feedback on easy to use 2FA, use data to demonstrate the reduction in successful phishing attacks.

Ultimately, remember that your role is not to take responsibility for the organisations risk decisions, it’s your role to make sure those decisions are informed.

Leave a comment