Someone Else's Problem

As noted in this blog post, we were recently reminded that when you ask CEOs the question "how much do you think about cybersecurity" the frequent answer is "not much." For many CEOs cybersecurity (C/S) is box that must be checked, of course, but a box that can be safely left to IT. In other words, to them, C/S is Someone Else's Problem (SEP).

If you are the person running IT, effectively the CISO or actually the CISO, or the part-time CISO, this carte blanche may seem like a great deal: you get a blank check and the CEO (and the rest of the management team) gets a pass on thinking about C/S.

In practice, this is deal is not as great for you as it first appears. In a nutshell, the level of support indicated by "I trust you to do whatever it is that you do" may not be enough support for you to survive a C/S incident. Or two. Or three.

You can certainly spin the wheel and hope that nothing too bad happens on your watch. You can even take all reasonable and customary precautions to minimize the chances of something bad happening on your watch. But you cannot guarantee that nothing bad will happen on your watch. In fact, if you have that job long enough, something bad happening is so likely that you need to be ready for it.

If you have been tapped by the CEO to check the C/S box, the downside is that the following statements are also probably true:

• The CEO does not know, and therefore does not truly understand, the trade-offs you have made; you can't protect everything all the time. Someone has to make value judgments. If you go it alone, then if there is a problem there is less chance that your management will support you. "I didn't know that!" is a common refrain in these situations.

• The CEO does not know why you spent what you spent or where you spent it. Again, this is probably not a problem unless and until something bad happens. In the aftermath of the badness you will truly come to know the meaning of "hindsight is 20/20" because well-meaning management team members point out that you could have spent less money or spent money more effectively than you did.

• You are taking responsibility for organization-wide decisions about what to protect and how to do the protecting. This means no one else has to stand behind what you chose to protect and no one else has to stand behind whatever procedures your people followed to do the protecting. All you, baby.

What should you do instead of going it alone? You should do the IT stuff, but you do not have to do the non-IT stuff and you shouldn't take on the non-IT stuff.

What non-IT stuff? Well, according to the NIST CSF, the steps required to provide C/S are these:

1. Identify -- figure out what needs protection
2. Protect -- do the actual protecting
3. Detect -- monitor the protecting so you can detect issues
4. Respond -- short-term response to the issue
5. Recover -- long-term response to the issue

Step 1 is NOT an IT function; at least it is not solely an IT function. Are you sure you know what every department does well enough to know what needs protection? I once watched a mis-configured time tracking / ID badge / electronic lock system shut everyone out of an office for a day. "How to recover from HR's ID badge system failure" was not on the IT bingo card.

Step 2 is totally an IT function unless you have a C/S group. We call this step "Cyber Defense" to distinguish it from C/S writ large. But Cyber Defense is only a part of C/S.

Step 3 is only partly an IT function as we will see below.

Step 4 is often an IT function but almost always requires help from other departments; it is very much better to get that buy-in before something goes wrong.

Step 5 should never be solely an IT function because this step should include a review of the incident (to improve the process to prevent repetition) and leads back to step 1 (to make sure that all those value judgments are up-to-date).

In action items, these steps turn into these actions:

Start by publishing your list of what there is to protect. This is the list of computer systems and data without which your organization cannot function. Are you sure that you know what every worker needs? Great! Then make the list and circulate it. You might be surprised at the response. You will certainly be glad that you did if there is an incident. Consensus is very valuable in a crisis, but much harder to build in a crisis.

After there is an agreed-upon list of critical assets, swallow hard and publish your list of which of these assets you actually can afford to protect. Are you fortunate enough to have the time and money to protect them all? Good for you! Still do it because the list should be reviewed on a regular basis and it is EXTREMELY unlikely that you will always be able to protect every critical asset. As part of listing what you can protect, you explain how you are going to protect it.

Now comes the difficult part: figure out how to prove that your protection is working. In order to make this proof useful, find someone outside your organization to review it. Not only will you have more buy-in during an incident if other people know what you were doing and why, but you will save lots of time and energy explaining what you do to protect because your reviewer will already know what you are doing and why.

Finally, have a published Incident Response Plan (IRP) which specifies who does what. During an incident is not when you want to try to find the right people to do whatever needs to be done. As part of your IRP you should also define the process which will guide your after action report and your "make sure this never happens again" process.

I know that it seems so much easier if C/S is SEP to your management. And it is easier to just say "trust me, I know what I am doing. And please just pay for it without asking questions." It is easier until something goes wrong. And my goodness, the chances of something going wrong go up everyday.

Providing C/S requires value judgments, resource allocation and supervision. These are management functions, not IT functions. Even if management wants to pass the buck to you, you would be wise to lead the leadership back to doing that parts of this job that belong to them. Your future self will thank you.