Cylidify publishes blog posts to share our ideas and guidance, but also to generally "put ourselves out there". Being direct and candid is part of our core tenants and woven into the consulting and services offerings, and you will see it in our posts also. This post focuses on cybersecurity professionals, but the there is a message here for anyone bridging gaps between goals, disciplines, or technologies.
There are many gaps and disparities in and around (cyber)security and privacy. Keeping those gaps in mind and bridging them is critical to successful cybersecurity engagements and programs. One of the most significant gaps is between cybersecurity professionals and the people and "entities" they aim to protect.
Much has been said and written about gaps between cybersecurity and its "constituents": businesses, technology, and people. Bridging these gaps will increase the ROI of security and privacy investments, but this must be balanced with the functionality and capabilities that generate revenue for the business.
Sure, cybersecurity professionals like to "geek out" at conferences and in their forums discussing the arcane or theoretical (which rarely stay that way for long) or debating the next evolution of malware. Unfortunately, our constituents rarely care that deeply about those details no matter how much we might want them to care. We need to continue researching and learning via our community to stay in top form and ahead of the competition (vandals, criminals, etc.). However, we must also find a way to bridge the gaps making cybersecurity and privacy approachable and consumable. Without these efforts, we will still be able respond and win some battles, but we'll still be losing the war — priorities and investments will get juggled or pushed later in the life-cycle giving hackers gaps and opportunities to leverage in exploits. "I told you so" only feels good in the shorter term.
Ok, so... How? Great question! It depends on your constituents. Despite there being some commonality in cybersecurity, it's not deep or broad, and thins with increases in attack vectors and diversity of businesses and technology stacks. The "least common denominator" is decreasing and there is no "one size fits all" approach. Also, there is widening range of issues and personas to consider. Meltdown and Spectre was a wicked curve ball and new personas are being introduced. Most of us are comfortable with other technologists (e.g. developer and architect personas), but CEOs, business development, lawyers, and end-users need different approaches.
As with most of cybersecurity, it's about having the skill, agility, and diligence to develop a shared understanding of the situation and engage the constituents with the right approach. We need to be the ones who take the first steps toward establishing a common ground via compromise, knowing the issue and audience, and coming into the engagement with a tailored and phased plan. For issues and incidents, following a situation, plan, and action approach works well. This allows us to explain current risks leading into a staged plan including "fixes", mitigation, compensating controls, and defense in depth with segues to other improvements sprinkled about; take advantage of all opportunities! We should go in with the understanding that dramatically altering the business or removing capabilities is very rare (but still sometimes warranted), and that zero risk is impossible. For programs and capabilities, get involved as early in the process as possible (even if you must shoulder your way in); "left-shifting" cybersecurity is one of our best value propositions. The Cylidify up-level recommendation is that there should be no business commitment or technology investments made until the cybersecurity resources are involved and all aspects are considered.
So, it's up to "us" to make the first move and advance toward a common ground leading with information and guidance versus elbows. Get involved early in the process with a common ground and compromise in mind. Enter issue or incident discussions with all the details available but tailored and presented to make it approachable and consumable for the business, technology stack, and people involved. This is not to say that you won't have to battle to do the right things, but rather start out "nice" and try to build consensus first.
