[BreachExchange] How a CISO’s Approach to Security Strategy Can Be Shaped By Philosophy

[Destry Winant]

https://www.infosecurity-magazine.com/opinions/ciso-strategy-philosophy/

“Philosophy?” the conversation usually begins – “that’s an odd
background for cybersecurity, isn’t it?”

“Funnily enough,” comes my well-rehearsed reply, “not at all”. I have
been surprised how often the skills of one field can be easily applied
to the other. Devising enterprise-wide risk mitigation strategies
requires critical thinking and analysis of competing hypotheses, much
like assessing the cogency of inductive reasoning.

Both fields also demand the practitioner set off on an impossible
task. The philosopher knows that at best they will arrive at an
internally consistent model that is a rough approximation of reality.
In cybersecurity, as the old cliché goes, it is a matter of when your
organization suffers an incident, not if.

Just as there is no single perfect approach to cybersecurity, there
are myriad different schools of philosophy. Whether they know their
Jeremy Bentham from their Epictetus, when there is no single ‘right’
answer to a problem a CISO can turn to some rather unconventional, but
nonetheless appropriate, sources of inspiration.

Playing the numbers with utilitarianism

Why should we spend money on protecting personal data if we can buy
cyber insurance? If our systems have been hit by ransomware, should we
pay the ransom? These cybersecurity questions have an ethical
dimension that is worth consideration. To do so we could turn to
utilitarianism, a philosophical tradition founded on the principle
that providing the greatest benefit to the greatest number of people
is the ultimate measure of right and wrong.

In classic utilitarianism, determining the correct course of action in
our two hypothetical scenarios would be a matter of assessing
consequences. What are the consequences of improperly protecting our
data or paying the ransom? How do we quantify this? From a program
management perspective, we could reduce this solely to dollars and
cents: if the cost of protecting personal data (including
less-tangible costs such as reputational damage) is greater than
paying higher insurance premiums and regulatory fines, then perhaps we
needn’t bother.

Obviously, this is problematic. A CISO that focusses solely on
maximizing immediate benefits may not recognize the longer-term harm
that could result from that approach. In the same way a modern
utilitarian may wish to minimize harm, rather than just maximize
benefit, so too should cybersecurity leaders think past the immediate
consequences of their decision-making. After all, today’s
cost-effective ransom payment may well fund next year’s attacks.

Managing risk with stoicism

While most organizations have no problem identifying cybersecurity
risks, issues often arise when it comes to defining the risk appetite
or prioritizing remediation efforts. Whether it is securing legacy
infrastructure or locking down non-compliant cloud instances, or
addressing complex security issues requires consistency and
persistence: these are two of the central tenets of stoicism.

Successful security strategies rely on incremental improvements across
the board and cultivating a security-conscious culture, rather than
hoping for a magic bullet to mitigate systemic risks overnight.

To effectively manage cybersecurity risk, we can draw inspiration from
the famous Stoic philosopher and slave Epictetus, who believed the
greatest goal in life was to “identify and separate matters so that I
can say clearly to myself which are externals not under my control,
and which have to do with the choices I actually control”. Knowing
what is within your control is often a matter of good governance:
defining and communicating who is accountable for what.

Understanding the externals that are outside your control is the
result of knowing your threat landscape: CISOs who worry about obscure
hardware vulnerabilities while the entire workforce is busy clicking
phishing links are rarely effective. Without either, organizations can
find themselves revisiting the same unresolved risks year after year.

The stoic CISO therefore should follow this simple mantra: know
thyself, undertake regular threat modelling, and outsource the
management of risks you cannot control.

Being proactive with Daoism

Wu-wei, a guiding principle for both individuals and governments in
Daoism, is often translated as “effortless action” – a state of
heightened situational awareness and adaptability. The Daoist text
Dàodé Jīng teaches objectivity, flexibility, and self-awareness:
“Knowing others is intelligence; knowing yourself is true wisdom”.

Similarly, while organizations commonly look outward to improve their
security maturity, whether to new tools, publications, or threat
intelligence feeds, their gaze would often be better turned inwards.
Misconfiguration and human error remain primary culprits for security
incidents, and are often the by-product of poor security awareness,
inadequate processes, or a lack of visibility of the environment. Are
your cloud instances misconfigured? Are staff accumulating privileges?
How are your vendors or suppliers performing? These are some of the
basic questions that should always be asked at the outset of a new
cybersecurity strategy.

The constantly-shifting threat landscape means a sound strategy should
resemble the fluid nature of the Dao – when business requirements or
the risk environment changes, so should your approach to managing
cybersecurity.

The launch of a business-critical system, the acquisition of a new
entity, or the addition of a new data type are all indicators it is
time to revisit your risk registers and information security
management system for currency and accuracy. A CISO with Daoist
leanings will therefore be both flexible and proactive in approach,
deploying pre-emptive measures such as threat hunting to identify new
vulnerabilities and risks as the business grows and changes.

Managing the security posture of a large organization is never a
simple task. With myriad stakeholders, technologies, data types,
regulatory requirements and attack vectors, your unique combination of
challenges means there is no single ideal path or methodology.

We should therefore strive to always be conscious of the bigger
picture – whether it’s the broader impacts of a ransom payment or the
fluid nature of threat actors – to ensure our corporate posture is
both fiscally and ethically sound.