• United States




How Sutton’s Law applies to cybersecurity today

Oct 23, 20174 mins
Data and Information SecurityNetwork SecurityTechnology Industry

If chasing threats are not the best allocation of an organization’s security resources, what is?

isolation threat dark web
Credit: Thinkstock

In my previous article, I raised a red flag about the diminishing practical returns of “mom and pop” threat research as a proxy for mitigating vulnerabilities and bad consequences. Threat assessment is often both difficult and incomplete, and sometimes best left to those who have timely access to the best possible data (and the even then, left to those with the military and intelligence means to act on it).

In that piece, I also begged an obvious question.

If chasing threats are not the best allocation of an organization’s security resources, what is? Where should we be focused and how can we best translate that attention to more effective—and efficient—cybersecurity?

Allow me to answer that with a brief portrait of a driven, iconoclastic, 20th century American financial entrepreneur named William Francis Sutton, Jr. Beginning in the early 1930s, Sutton began his extremely successful and profitable 40-year career—as a bank robber. Not only did his particular skill set net him an estimated $2 million and earn him the nicknames “Slick Willie” and “Willie the Actor,” his most famous insight also left us with a truism that is now referred to as “Sutton’s Law.”

Upon arrest, the legend goes, Sutton was asked by a newspaper reporter why he robbed all those banks. Sutton replied, “Because that’s where the money is.”

Which is why we should consider Sutton’s quote as particularly relevant to cybersecurity today: Why do threat actors go after cyber assets? Because that’s where the consequences of significance are.

From financial information and personal data, to access to trade secrets, customer information and patterns—data has become the most consequential asset for many organizations, and the most valuable target for threat actors. Whether their motive is financial gain or maliciousness, they are hoping for two things: easy access to what they are after and maximum impact for their efforts.

Which aligns directly to the cybersecurity risk paradigm: a triangle comprising and illustrating three components of risk: Threat, Vulnerability and Consequence. We have already established it is challenging for individual companies to accurately characterize threat, or successfully mitigate it even if characterized. That leaves Vulnerability and Consequence.

Vulnerability and Consequence are the two components of cybersecurity that organizations have the most control over and can most efficiently use to dramatically improve their level of protection.

Not necessarily in that order though—unfortunately, many organizations are not nearly focused enough on closing known vulnerabilities that allow breaches. I won’t name names here—any news site on any day will give plenty of examples, and many CISOs breathe silent sighs of relief that it’s not their turn today. It’s remarkable to think about how much damage can be prevented with just fundamental, basic security hygiene. Most people would be stunned at how much that inattention to vulnerability management is responsible for the data breaches we so often hear about.

That said—and for the sake of discussion, assuming basic hygiene protocols are indeed followed and signature-based blocking of known threats is employed—let’s apply Sutton’s quip of “that’s where the money is” to the most-overlooked aspect of cybersecurity risk: avoiding bad consequences.

We need to identify the most destructive potential results of a realized threat or exploited vulnerability, and engineer-out those consequences so they cannot happen or so the damage incurred is not as big if they do. Either can be effective threat mitigation—because threat actors will quickly conclude that their attempts require too much difficulty, or there would be little or no return on investment for their efforts even if they successfully penetrate a system.

Were he alive today, Willie would surely advise us: Don’t make it easy to get to the money, and don’t put the money all in one place. When we focus our attention on the things we can control—Vulnerabilities and Consequences —we create a dramatic increase in protection, and fully comply with Sutton’s Law.

Next time, we will use these principles to explore some fundamental best practices of cybersecurity—some obvious, some not and some controversial—that can greatly improve the security of any network.


Phil Quade serves as Fortinet’s Chief Information Security Officer and brings more than three decades of cybersecurity and networking experience working across foreign, government and commercial industry sectors at the National Security Agency (NSA) and U.S. Senate. Phil has responsibility for Fortinet's information security, leads strategy and expansion of Fortinet's Federal and Critical Infrastructure business, and serves as a strategic consultant to Fortinet's C-Level enterprise customers.

Prior to Fortinet, Phil was the NSA Director's Special Assistant for Cyber and Chief of the NSA Cyber Task Force, with responsibility for the White House relationship in Cyber. Previously, Phil also served as the Chief Operating Officer of the Information Assurance Directorate at the NSA, managing day-to-day operations, strategy, and relationships in cybersecurity.

The opinions expressed in this blog are those of Phil Quade and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author