4 classes of practical security and how to balance them against goals

Every CISO must evaluate their security programs against these four basic levels of security -- stay out of jail, table stakes, competitive and advantage -- in terms of business need.

balance - measure - comparison - risk assessment
Thinkstock

The mission of security leaders is to protect the trust that has taken years and a lot of execution to build. That trust runs deep: with customers, with partners, with the marketplace, and for many in the modern era, a trust built with regulators. As more of the business is engaged to deliver services or products while maintaining that trust, it’s important to build clarity on the type of security investments being made. Every security leader faces the perennial challenge of maximizing security outcomes with limited resources and managing business or political capital in the business to effect needed change.

Security programs need balance

As security leaders, driving a security program at scale means myriad things: Protect systems, enable people, help meet revenue goals, accelerate delivery, help the CIO team deploy new technologies, enable data patterns, assess privacy, enable new vendors and system interconnections, and more. As we partner across these functions, often the conversation is shifted by executive attention driven by news media, or new technologies.

Working with a customer a few years ago, I was shocked as we reviewed the security program to find out how pervasive they had invested in analytics-based platforms, which were at the time less prevalent than they are today. As we continued the maturity assessment and planned enhancements, it was soon clear the program was unbalanced. Foundational CIS Critical Security Controls were completely missing even as massive data libraries and search capabilities were applied daily.

The team missed the opportunity to take a risk- or market-based approach to which controls or investments to make in the business. Instead, a few outsized voices highlighted top-of-mind ideas or new technologies rather than presenting to the business a data-focused view for how critical a given piece of the security program was.

As security leaders, one of the valuable things we can push teams to do is to categorize a control for its market impact and necessity. Is this control or risk in our business something that is roughly on the class of “keep out of jail” or is this something that is so advanced that it creates “advantage” versus other companies in the space?

4 classes of practical security

Many risk-based methodologies can categorize threats and set priorities. Alongside these formal prioritization methods exists a way of communicating how the security investments or the control relate to the company’s market position.  

These “classes” of security help drive a story for where the security investment fits in the business’s roles, responsibilities, and commitments as part of the whole. Presenting security controls accurately as behind the state of the industry helps business leaders understand an imperative to ‘catch up’. Presenting security controls as beyond the current state of industry obligations helps the leadership team to weigh the potential for investment and the business that gets unlocked.

1. Keep out of jail

Following the law is never optional. It sounds obvious yet my experience is that sometimes security and business teams can lose sight of the big picture. As legal concerns mount, jurisdictions pass new legislation, someone on the team must have the role of identifying compliance concerns and surface them in the risk and control identification process. Security obligations that drive criminal penalties need to be identified consistently in the status identification of security investments.

In prioritizing people time, we are putting in place foundational controls because criminal penalties are attached.

In prioritizing resources, we are putting in place foundational controls because criminal penalties are attached.

In building a coalition of support in the business, we must do these foundational controls because criminal penalties are attached.

2. Table stakes

Many controls are a necessary element of simply being in business. For example, a cloud service provider must have the basic capability to isolate information among customers. Without such controls for data protection, it is difficult to even call your service “cloud” under generally accepted identifications, let alone formal definitions like those provided by NIST or other organizations. These controls are required simply as table stakes to be at the table and play the game – whatever you are in business to do.

As the security leadership works with the business, the framing becomes that this control upgrade or participation in the program is simply part of operating this kind of business. We cannot go into the market and offer, for example, consumer internet-connected devices without having a way of setting reasonably secure defaults. We cannot offer a cloud software as a service without having standards for how we encrypt data and handle those encryption keys safely. We cannot sell cars electronically without having a privacy program to track consumer information and ensure it is only used as intended and expected for this industry.

For most organization, common frameworks like the Center for Internet Security’s control program or the ISO 27002 code of practice provide basic lists that the organization can compare to and determine which controls are reasonable table stakes or which are higher classes of service.

3. Competitive

Growing in the marketplace means not just meeting the basic minimum to be in business, but to provide the trust and patterns of commerce that consumers expect. Often, controls in an industry represent the current state of expectations for security, compliance or privacy. As an example, in technology businesses, it is difficult to provide hosting services at scale to enterprise customers without having SSAE18 SOC2 attestations and audit reports, or perhaps managing information security according to an ISO 27001 certified information security management system.

In non-technical businesses, this may be guaranteeing the security of electronic retail transactions, backing data storage and backup services with hardware-backed encryption, or providing excellent levels of physical security as part of an all-hazards resilience program.

Controls that are competitive help the company grow the business by being at or just above the level of expectation of the customer and not conceding ground against the most common alternatives. Building a conversation about investing in competitive controls typically centers on business or customers who have asked for these controls recently and expressed reticence to renew or expand business until these competitive controls are available and attested.

4. Advantage

One of the most common mistakes in modern security practices is identifying current control programs as advantage when they are really table stakes or competitive to be part of the field. Advantage controls are specific places in the security program where the business makes a net investment to be above the current state of trust – often to correspond with an offering’s brand or a perceived area of risk that may help define the market in the future.

Building support in the business for an advantage level of controls or investment requires building a shared vision that by investing to a higher level of trust, significant market expansion is possible. As one example, in a world considering the metaverse, what if a high-tech company offered “secure interactive” avatars as a kind of federated identity? In financial services, some organizations were first to offer consumer-available hardware multi-factor authentication (MFA) tokens as an additional practical security control – but also a visible perk and brand enhancement for high wealth customers.

Driving the narrative for advantage investment requires a shared business case where the security team is enabling the business to meet broader investor objectives like revenue expansion or reduced cost of sales. Such a conversation is almost never about the net impact of the security risk or security costs themselves.

Calibrating a narrative for the right class of security control

As security leaders, we drive the perception of our business partners in understanding the value of the investments that our budget drive and the role of the security people embedded in projects. Calibrating the view to understand security in the context of a broader industry-competitive conversation can help build the support needed for advancing the posture of the company and unlocking business goals.

Accomplishing this requires a transparency in communication and consistency inside and outside the security team, which likely means extending beyond the specialist language of risk and building a taxonomy that everyone can understand as classes of investment behind or beyond the state of the current marketplace.

Related:

Copyright © 2021 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022