Why evidence of security is not prove of protection

by | Sep 14, 2019


At Pharos, we often point out that “evidence of security is not proof of protection”. What do we mean?

The BIG GAP between security and business leadership
It’s no secret that CISO’s and security programs often have a tenuous relationship with the business and executive leadership. We hear a lot of ‘the business doesn’t get it’, ‘they only want a check box for security’, or ‘we cannot succeed unless we have a seat at the Board.

Simply put, business leadership are not being given reasonable outcomes to invest in. The onus is not on the business to ‘get it’ or to capitulate to the CISO’s budget and authority demands. The CISO must articulate outcome options, measure value and report on progress in terms that are immediately meaningful to the business.

The previous blog post introduced a set of six questions that are key to bridge this gap and articulate and influence at the executive and board level, raising security’s profile within the leadership of the organization. In this post we’ll focus on why evidence of security is not proof of protection.

What is the difference between Security and Protection?
As a first step to bridge this gap, we want to differentiate between security and protection in a way that produces a simple and shared language of understanding between security and business leadership.

When we say ‘security’ we are talking holistically, all the people, processes, technologies, information, partners, and vendors that comprise day-to-day operations. When we say ‘protection’ we mean a specific protection state, or risk exposure, relative to an impact from security breach. Protection isn’t an all or nothing — it’s a degree. It is gained by holistically calibrating, orchestrating, and integrating controls (e.g. predictive, preventive, detective, responsive) into a reinforcing ecosystem. We want to give the CISO the ability to demonstrate investment and control over an impact that is acceptable for the business. You don’t spend a million dollars to protect against a million dollar impact. There should be a spend to impact ratio that the CISO calculates across various delivery options.

This sets up a clear cause and effect. In simple terms:

  • Security is actions / activities / cause
  • Protection is a state / result / effect

Let’s use the example of owning and building a house to clarify these differing positions.

In most cases, when you buy a house, you consider size, location, and quality vs. your current and future needs and wants vs. upfront and recurring costs. Further, you consider if we pay $x more for the house, we have $x less for our cars, vacations or other expenses.

Imagine instead that all we were told is how much wiring the electrician has done, or how much plumbing has been done, or how many windows have been installed, or how many bricks have been laid. Or even if I told you we are now laying x% more bricks today vs. yesterday. Or we are getting our bricks y% cheaper than yesterday. Or even if the wiring, plumbing, and other trades were ‘done to code’ or standards.

As a prospective home buyer, would you have any confidence that the sum of these actions and activities resulted in the right house for your family today and in the coming years — and that it was at a reasonable price?

No, because the former is about a result — what house I receive for a cost. The latter is about trade actions and activities. I can do all the right trades work with the right materials and to standard, and not get the right house — or even a house at all!

Security and Protection aren’t necessarily strongly correlated
If evidence of security is not proof of protection it stands to reason that more spending on security doesn’t necessarily mean you are better protected.

This weak correlation has led to untenable relationships between security and the business, and as a result we continue to see the CISO’s struggle to:

  1. Gain or maintain investment traction
  2. Produce programs with strong morale and retention
  3. Develop strong trust and support from executive leadership
  4. Gain a seat and influence with the Board
  5. Come to consensus agreement with the business on risk appetite
  6. Demonstrate what can, and cannot, cause unacceptable business impact
  7. Articulate the security program in business terms
  8. Establish a ceiling for security spend that is defensible to all challengers
  9. Demonstrate overall effectualness

Opportunity cost turns into opportunity lost
Security is competing with the rest of the business (e.g. marketing, sales, R&D) for limited investment. These other business functions can much more easily demonstrate valuable returns than security can using conventional approaches. Further, if increased investment doesn’t demonstrably result in increased protection why should the business invest more? If the most tangible result security can offer is a certificate of compliance, why should they opt to invest beyond that?

We can all agree:

  • You need to ‘do security’ to gain protection
  • You need investment to ‘do security’
  • By differentiating between Security (Cause) and Protection (Effect) we have taken one small step toward answering the core questions posed in the first blog post.

We will continue this journey in the following blog posts.