Keely has over 30 years of experience in Information Technology and Information Security with proven skills in support, operations, engineering, analysis, management, and sales. Prior to Check Point, she worked for Fortune 50 enterprises, higher education, medical, telco, MSSP, finance and VAR organizations. Keely holds a MS in cyber security from Florida Institute of Technology, the GIAC GLEG (Law of Data Security and Investigations) certification, and presented at the SANS Institute 2019 Supply Chain Security Summit. Keely joined Check Point Software Technologies in 2019 as the Pre-Sales Security Engineer for the Commercial sector in southern Virginia.

In this post, Keely Wilkins discusses how the language of business can obfuscate the significance of cyber crime -a.k.a. technology-enabled crime- resulting in the undervaluing of risks and undermining the foundation of cyber security strategies.

Language is referential

The language of business is complicated. There are whole volumes dedicated to deciphering it for those of us who aim to contribute to the greater good.  Yet, the base objective of business remains straightforward: to provide value for goods and services.

Achieving this objective is largely formulaic. Predictability and probability of future success is calculated via the analysis of past events. Accounting for unknown variables is less precise, but still achievable. Cyber crime, for example, has been such a persistent anomaly that it is now predictable and probable.

Math is the common language of business. Still, delving into a sector or industry different from one’s own is akin to learning a new dialect (ex. medical, finance, government). There is linguistic shorthand for everything.

With this nuance of language disparity, it is not surprising that we struggle to act cohesively against our common foe.

Criminals are not constrained by language; their success is not dependent upon being understood.

(Cyber)crime vs (Cyber)security

There are opposing superstitions about calling the devil by name. The first posits that saying its name gives it power. The second suggests that saying its name takes its power. Cyber crime is the devil of legitimate business.  Social Engineering, Phishing, Whaling – it tempts us. Malware, Ransomware, Identity Theft – it consumes us.  Exploitation, exfiltration – it depletes us.

The response of business has been to construct a defensive strategy, a cyber security strategy, whose success is reliant upon predictable behavior.

Criminals are opportunistic, not dogmatic.

Accounting for curveballs

Anomalous behavior keeps us up at night.

The “Great Resignation” a.k.a. the “Big Quit” of 2021 created a knowledge gap across industries as many experienced employees resigned. This was not predictable behavior.  There is no continuity plan for whole teams leaving.  For the cyber security industry, the Big Quit compounded the existing talent shortage.  Not only were entry-level jobs not being filled, roles that had been occupied by experienced practitioners were now being vacated with no one to bring up from the bench.

Cyber security roles are not easy to fill. When an experienced employee leaves, other employees are taking on the tasks without the benefit of cyber security training or experience. They may be capable of performing tasks, but they do not understand the purpose or impact of their actions.

They do not speak the language; they cannot name the devil.

Cyber security is difficult.

Undervaluing risk

Treating cyber security as merely another business objective or cost center does little to affect change.  Still, we must have a plan, a budget, and a means of measurement.

There are formulas to calculate Cost-Benefit Analysis, Return on Investment (ROI), Total Cost of Ownership (TCO), probability of loss, and a myriad of other ways to measure the impact of decisions. Not all of them are correct. The calculation to determine the value of a digital asset, for example, assumes that the value of data is static. The value of data is actually fluid and it does not adhere to a predictable depreciation model because we would have to define every possible use case for that data (raw and aggregated) to know how it will appreciate or depreciate.

For clarity, a data breach is always bad. A data breach with actionable data is extremely bad.

Supply chain security is another factor in the valuation of risk.  We open a Pandora’s Box of risk when our businesses are dependent upon one another, we speak different dialects, and we rely on legal contracts to bridge the gaps between business and technology.

Accounting for risk is about the probability of occurrence and the expected impact of each occurrence.  Not everything is predictable.

Refocus the cyber security strategy

To recap, our objective is to provide value for goods and services.  The criminal’s objective is to take anything of value. Resources are finite, value is fluid, predictions are iffy, and risk is misunderstood.

We can change that. Acknowledging that criminals are opportunistic means that we must also acknowledge that we own those opportunities. The predictability of business may be our cornerstone for planning, but the predictability of our behavior is a criminal’s jump point for exploitation.

Bring innovation into your defensive strategy. There is no textbook formula for the successful practice of cybersecurity.  Safe today, exploited tomorrow. There is plenty of rhyme and reason for the inequity of exploit, but that is a different topic.

My advice to all who endeavor in the business and practice of cyber security is to

  • Think critically, like a criminal
  • Know your value as an opportunity to be exploited
  • Over-estimate the value of your supply chain
  • Do not over-complicate your security strategy
  • Do not undervalue your security practitioners, they’re hard to come by
  • Pressure test your assumptions

We can do this, together.

Lastly, to learn more about managing cyber risk in a changing world, please join us at the premiere cyber security event of the year – CPX 360 2022. Register here.