Accuracy And Precision in Cybersecurity

I am a fan of sketchplanations.com in general and this sketch in particular caught my eye for two reasons. First, I love me some hair-splitting (ask me about the difference between "virulent pathogens" and "infectious pathogens"). Second, this gives me a great way to talk about a big deal in cybersecurity.

Before diving into that big deal I want to apply the point of the sketch to cybersecurity. The field of cybersecurity is a branch of Risk Management. The people running the organization have to set priorities and budgets. The people running the organization have to sign off on the policies which decide which risks are worth mitigating. The people running cybersecurity have to write procedures which implement those policies and then police activity to ensure that the procedures are active and effective.

By analogy, the policies are accuracy: are you trying to protect what you need protected? The procedures are precision: are you effectively protecting whatever it is that you have been tasked to protect? Having both accuracy and precision on your cybersecurity program means that the right people are doing the right things and doing those things well.

What if you have accuracy without precision? Then you are protecting the right things but not in an efficient or effective way. What if you have precision without accuracy? Then you are doing a terrific job protecting the wrong things. Neither of these scenarios is what you want.

(We assume that you have a cybersecurity program that is formal and rigorous. Formal means that it follows some accepted and proven methodology. Rigorous means that it generates evidence of its own effectiveness and that evidence is both comprehensible to Management and regularly presented to Management in a comprehensible form. If your cybersecurity program is not both formal and rigorous than you have problems that being both accurate and precise won't fix.)

So what is the big deal in cybersecurity I want to talk about? The big deal is where to draw the lines of responsibility between Management (the people who run the organization) and Cybersecurity (the group of people who implement cybersecurity in the organization).

As with everything else, you can draw the line too far in either direction or you can get it just about right. And that line placement matters. Sometimes Management basically dumps it all on Cybersecurity. This is too much Cybersecurity. Sometimes Cybersecurity just does what it is told. This is too much Management. Sometimes Management does their job and Cybersecurity does theirs. This is the Goldilocks scenario.

Why shouldn't Management just let Cybersecurity do whatever? After all, Cybersecurity are the experts here. Yes, your cybersecurity group are your experts on defending whatever you have tasked them with defending. But are they defending the right things? Do they understand your business, your client interactions, your partner interactions and your resource priorities? How could they?

What shouldn't Management closely oversee Cybersecurity's daily operations? After all, managing is what Management does. Yes, Management is the ultimate overseers. But does Management understand the ins and outs of cyber attacks and disaster recovery? Probably not.

The right people in the right jobs doing the right thing. Sometimes "the right thing" means "guarding the appropriate assets." Sometimes it means "using the appropriate tools." Sometimes it means "spending our limited cybersecurity budget to do the best we can."

Figure out where to draw the line in your organization and then review that decision on a regular basis. Your future self will thank you.

Ask us how.