Center for Internet Security expert offers a simple equation to manage cyber risk
BOSTON – Tony Sager, senior vice president at the Center for Internet Security, promised to help simplify security – if not necessarily make it easy – at the HIMSS Health Privacy Forum on Tuesday.
Sager, who spent nearly four decades at the National Security Agency before he joined CIS, offered an equation to help put the situation in perspective: Risk = vulnerability, threat, consequence / controls.
In other words, an organization's cyber risk is a function of the vulnerability of their systems, the volume and variety of security threats and the consequence of an attack or breach – weighed against the strength of the organization's controls, what it can do about it.
Once upon a time, "we didn't know much about the threat," said Sager – offering the example of a USA that naively assumed its only main enemy was the USSR: We could understand vulnerability (i.e., diving under school desk during drills), but didn't know much about the threat.
"When you're faced with a threat to your existence and you don't know much about it, you think about the worst things that can happen and design for the worst," said Sager.
[Live coverage: Here's what happening at the Privacy & Security Forum right now]
On the other hand, he said, "some consequences are so catastrophic that it becomes the dominant variable." (Again, nuclear weapons is a good example of this.)
Meanwhile, a cold fact of cybersecurity is that, "no matter what, you cannot take your vulnerability to zero," said Sager. "And if you spend all your money on vulnerabilities, you have nothing left for threat or consequences."
With that framework in mind, Sager sought to cut through what he called the "fog of more" – the ever-proliferating list of threats, strategies, technologies, frameworks that security professionals are faced with managing given the "seismic shifts in the past 40 years."
Toward that end, he flashed on the screen a word-cloud of security imperatives: anti-malware, DLP, penetration testing, certification, continuous monitoring, baseline configuration, encryption, threat intelligence, two-factor authentication, user awareness training, incident response, virtualization, need-to-know, etc.
But Sager offered a cinematic analogy that helped bring some of that overwhelming verbiage into focus. In the majority of cases, healthcare security is not so much the heroic drama of fighting off bad guys, but more prosaic drudgery of keeping systems secure.
Cybersecurity is like "Groundhog Day," not "Independence Day," he said. "A good day is when nothing happens." And a good week is when several of those monotonous days are strung together at once.
In a more general sense, security professionals are faced with three basic questions, he said. The first two: "What's the right thing to do, and how much do I need to do it?" and "How do I actually do it?"
At its core, cyber defense is about information management, said Sager. He noted also that it's important to keep in mind that, while the list of data security tools may seem infinite and overwhelming, it's "a large but limited number."
That said, it's key to prioritize the right ones, as the Pareto Principle – which posits that 20 percent of effort invested is responsible for 80 percent of a project's end results – holds true here, so it's important to think hard about the optimal 20 percent to focus on.
The third basic question, however, can often be the most taxing: "How can I demonstrate to others that I have done the right thing?"
The lists of regulatory bodies, security frameworks and standards needing attention has only grown in recent years, said Sager: "It's the rare enterprise that only has one thing to report to."
Still, despite all the challenges, it's worth it for security professionals to remember that they're not in this alone.
"I'm old enough in this business to have seen a lot of things," he said. "In this business it's hard to have an original thought, and it's hard to have a unique problem.
"Assume there are are others like you," he explained. "And assume others have had the same idea. Do the homework to find what people have already done and created. We all have vastly more in common than we do differences, if we think like that, we actually have a chance here."
The Privacy & Security Forum is happening in Boston, Dec. 5-7, 2016.
⇒ Privacy & Security Forum Boston: What to expect
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ What's the fundamental problem with cybersecurity? Relying on the Internet