SECURITY STRATEGY – REALITY VS THEORY

Posted on by Henrik Parkkinen

In theory, theory and practice are the same.

In practice, they are not.

-Albert Einstein

[…conversation…]

Henrik: OK, why did you base the coming <#> years on these activities?

Customer: This is the direction of where our vendors’ technologies are heading!

Henrik: I understand. But is this where your business and organization are heading?

Customer: What do you mean?

Henrik: Are these activities, those you have based your security strategy on, in alignment with your organization’s direction?

Customer: Ahhhhh, you mean that stuff!

Henrik: Yes.

Customer: I do not know. That is <random input> for the executive management team to decide.

[…conversation continues…]

Source: Real-life conversation

IN REAL LIFE

According to some textbooks and theories, a security strategy should be the foundation for the Information security policies developed, information security programs created, information security metrics designed, information security <insert>, and so forth. These all shall be aligned with the organization’s business mission, vision, and objectives. I fully agree.

What I explain can be exemplified with the following conceptual model. Deviations between textbooks and theories may of course apply to the conceptual model, but it is fairly accurate as a generalization. The model I have created is based on the collected knowledge from a fair amount of these types of theories and books I read throughout my career. Nothing magical or unique as such but it set the context for the conceptual idea…from a theoretical point of view.

The thing here, in the real world, is that this is not always how you as a security leader will be approached or how the recipe will look for cooking that security strategy. When you are coming into an organization you will not always be served with this form of opportunity, to start from the very top of the conceptual model. Spending your time on writing those steering documents. They should of course always exist though, so that one can go in and read them and in that case start from there. But this is not always the case either.

So, there might for example already be information security policies, programs, metrics, and other artifacts in place. Or there might be nothing in place. Or maybe there will not be room to do it in the textbook way or according to theories due to some form of political reason. But now you are there, in the situation, and have decided that you want to help the organization in developing a security strategy.

Let me exemplify a couple of scenarios for you that I have witnessed and taken on in the real world.

IRL EXAMPLE

An organization has had a security breach, the bad guys managed to launch a nasty attack on them and took them as ransom. Things sorted out and the organization managed to get back to an operational state. The organization realized that it lacked both a security strategy and fundamental protective security capabilities.

They took the decision to start out with the development of a security strategy, i.e. a long-term plan to improve things. They bring in a security dude to help them construct that plan.

In these situations, where organizations want to gain more or less direct effects of what improves their security posture and cyber resilience towards external threats and attacks the textbook and theoretical approach is less applicable. Situations like these, according to my experience, will require more initial efforts that provide the most bang for the buck. This for example, but not limited to, encompasses that fundamental security capabilities need to be established. Also known as security hygiene. In many cases, these things are kind of “easy” to implement. When I say “easy” does not mean that the actual work is simple but things start from where it makes sense for that specific organization. Another applicable word here is “foundational” security controls. I think you get the idea.

Policies, procedures, and guidelines are for sure a part of fundamental security things but starting here makes less sense according to my personal opinions and empirical knowledge in these situations. If a boat has loads of holes in it, those need to be fixed before you start out looking into that busted engine. If the motor is fixed and there are still holes in the boat, it will still take in water. Not so cool. Not that hard to figure out. You get the point.

REFLECTION

I know that many say and think that “technological security implementations” are not something that should be a part of a security strategy. And I think this is both true and false. But, I think the work from a strategic point of view needs to align with what the organization needs rather than towards one personal opinion or what a textbook or theory dictates. For this reason, operational security controls that are considered foundational need to be in place. If those operational things, from a security point of view, are not working properly the cool-looking long-term things will most likely suffer. If the holes in the boat are not fixed, water will still find its way in.

I think there is more than one way forward for how to create a security strategy. The textbook way is one but this shall not be seen as the holy grail. Not at least how I see it. If the situation you, as a security leader, are faced with is not possible to be managed according to for example the way you learned it or have conducted it before or the ordering mentioned previously in the model you will need to “adapt” to the situation. You are there to help the organization requesting your services or that you work for.

Security strategy in reality
When theory meets reality you need to adapt. You need to adapt according to the situation you as a security leader are faced with.

Some security people think that technological improvements should be managed as IT projects, security improvement projects, or similar. They do not belong in a security strategy. Personally, I see very little positive gains coming out as a result of these kinds of argumentations. But here and there, in the real world, organizations spend unreasonably portions of time to sort this kind of bureaucratic bull sh*t out. I think there are situations where it makes perfect sense putting technological improvements, that may result in a certain product or solution needing to be implemented at a later stage, into a security strategy program. But this should not be the starting point. “We just need to implement <insert technology, solution, product> and we are aligned from a strategic point of view.”, no this is not how security or a strategy works in reality or in isolation.

But take this one into consideration. If for example investments are needed, for the organization to achieve the security mission statement, it makes total sense. If the organization is suffering from a hygiene level, go after fixing it. The implementation project of that technological thing might be a part of a bigger puzzle for the organization. And that piece in the puzzle, i.e. IT project, might need to be approved by the management team who requested the security strategy. Why not use the security strategy to get the investments approved for the needed security capabilities? Once again, you are there to help and support the organization. You need to adapt to the situation, not the other way around.

Many organizations still see security as a cost center or something painful. This is a part of the reality we live in. For you as a security leader, be aware of it and mindful of how you need to communicate and influence your decision-makers. They are not the experts in security, you are. You are there to help them to make the right decision.

Do you have the resources, budget, and finances to realize the value of the investments in your organization’s security strategy?

Be pragmatic and make it less of a political, theoretical, and bureaucratic exercise but at the same time, you as a security leader need to understand that this is a part of the real world. This is how reality works. You need to adapt to it.

Do not though fall into getting emotionally hijacked or locked into your ego about how things must be conducted. Approach the situation with integrity and leave your emotions aside. It is way more easier said than done to be logical instead of mixing in those emotional feelings if you see what is needed. But this is the reality. Security leadership is mainly about humans. And humans have a tendency to react emotionally and act accordingly.

Spending time and energy on politics and bureaucracy is not how an organization will gain value from a security strategy. This kind of energy waste will not keep the bad guys away, and increase your security posture or cyber resilience. These discussions are needed but they are less value-adding. To speed up the process in these forms of discussions, as said before, is to put your ego aside. Do not make or take these discussions as personal things that offend you. Your personal ego or how you think stuff should be done has less to do with your organization’s security posture and cyber resilience. You need to do what is best for them. You need to adapt. And in many places, this will mean that everything in that security strategy can not be done at once. And this is ok. Doing something compared to nothing is still progress. Make sure to pick those things, in relation to the resources you and your organization have for disposal.

Someone: “Henrik, the things you are suggesting and recommending will impact MY budget!!!”

Henrik: “Yes. But I see it rather as our company’s money and budget and not yours or mine.”

Source: Real-life conversation

In many places, the budget (as mentioned before) will be one of the main factors that will dictate what is possible to be accomplished. It is very few organizations that have endless trunks of money that they can throw into security. This is not how reality works independently of what a theory, textbook, multiple-choice exam, security guru on the internet, or AI tool tells you.

ADAPTABILITY

Yes. Adapt to the current situation taking place in the organization you are supporting and developing the security strategy for. And to do so, I think that the following steps are a very good starting point for how to gain an understanding of how the situation looks like:

1.) Assess the situation:

  • Look at and discuss the security challenges, risks, and threats relevant to the organization. Interact with your stakeholders!
  • Discuss and get an understanding of the history that led up to the current situation.
  • Make sure to understand the business mission, vision, and objectives of the organization.
  • Get an understanding of what and where the Crown Jewels in the organization are located and which they are.
  • Make sure to understand how the organization provides value to the customers.
  • Get an understanding of what the value streams are for the organization.
  • Discuss and form a common goal, with your stakeholders, around what security in your organization should look like. I.e. what does your organization need.

2.) Form a plan based on the information collected from step 1.

Explain and showcase the value realization, I.e. how the security initiatives tie together to the organization’s business goals.

3.) Present the plan, formed in step 2, to the stakeholders and decision-makers to get buy-in on what is suggested and needed to reach the wanted state.

4.) Execute the plan together with your team.

Yes, the list can be made longer and can be adapted. But the point here is to start from where it makes sense and gain your organization’s perspective on things. Reducing subjective perception and increasing objective perspectives.

Before the show is going to get started, the current state of the situation needs to be assessed and understood. I recommend spending more time, resources, and energy on this part. This part is many times where resources are under-committed as many organizations want to jump into “execution mode” more or less directly. What I have learned through my career is that one of the main reasons for this is due to that there is some form of frustration or expectation underpinning these emotions. Be aware that this sort of situation can take place but planning is key and security favors preparedness.

Ask yourself, how can you, as a security leader, construct an adequate plan without truly understanding the current situation?

Where are the pain points? What needs to be improved? For example, are there information security policies, procedures, and guidelines in place? If this is the case, these might be a part of the current state analysis. If these things are not in place, record this finding and add this as an observation to the analysis.

But does this mean that we need to start with forming the information security policies, processes, and procedures? As said before, according to how I see it —> it depends. In some cases, I would say “Yes” and in others “No”. It depends on where the organization has its pain points and which actions that are most value-adding for the organization. And value from security is not only derived from technology or cost savings. You, as a security leader, need to understand what value means for the organization you are there to help. Make sure to sort out these questions together with your stakeholders & sponsors and things will pan out more fluidly.

If you want to read more about value realization in relation to security strategy, I suggest you read this article.

EPILOGUE

Choosing the way to analyze the current state of an organization from a security perspective is not and does not need to be an exercise made advanced or complicated. It can be enough to just gather all the relevant stakeholders in the organization, make sure they are in the same room, and for you as a security leader to facilitate the dialogue. Get everyone and yourself on the same page. This makes up a great starting point. Expectation management. And make sure to speak and communicate with your audience in a language that they understand.

Ask the right questions. Collect the feedback. And take it from there. If you need to use a security standard or framework for your help, do so. If you do not need one and know how to facilitate the dialogue without one. Do that instead.

If you pick a standard framework or methodology, pick the one that suits the situation and organization best. If they are operating in a certain industry, pick that standard or framework that makes sense for that industry. Or pick the one that the organization is using.

Security strategy development unicorn solutions do not exist in reality
Fact: Security strategy unicorn solutions do not exist in reality.

But keep in mind, that a standard or framework is only that. It is not a magical unicorn solution that makes an organization secure. The magic does not happen through that standard or framework in isolation. Filling out spreadsheets or PowerPoints is not what makes an organization secure. This is a part of the exercise but it is not where the actual magic happens.

I believe in going from plans to actions…but to do so in an informed and intelligent way. Do your investigation but do not get stuck here by assessing the organization to oblivion. However, be aware that the output you get from the assessment will be limited to the questions and subjects discussed.

For this reason, I also recommend using the output in the same way. Use it as a discussion point and make sure everyone understands the limitations and assumptions made. A standard, framework, best practices, methodology, and so forth are there to help you get things going. It is not a magic wand that will fix things for you and your organization.

How theory is played out in reality can take different forms. Change your implementation of the theory to fit into reality or choose another way to do it that works. “According to standard/book/theory says that […]” no, do not strive to become one of these one trick security ponies. Security strategy or leadership is not that advanced or does not need to be. Make it and approach it in the way how reality works, not the other way around.


Expert Security Strategy Lesson!

A security strategy is less about your personal opinions as a security leader, textbook thinking, or theoretical models. It is about what your organization needs.

It needs to be tailored according to your organization. It is very common to see that we as security leaders and experts blindfolded approach this form of exercise with a very biased opinion of what an organization needs. Do not make this mistake. Reality does not work this way when it comes to security.

Every organization has its own uniqueness and this mainly comes down to culture, politics, ways or working, history, leadership, financials, and value proposition and so forth. Make sure to take the uniquess of your organization into the consideration when developing the security strategy.

Henrik Parkkinen