By Phil Reitinger
A couple of weekends ago I was on Long Island, NY, and I saw this fire hydrant, in the sand, on the beach. My first thought was “Really?” My second thought was, “Are we doing this in cyber security?”
Of course we are. Risk management, long the intellectual basis of cyber security management, is gaining even greater ground with its movement out of the standards area, including ISO 27001 and the NIST Framework, into becoming the core of the U.S. government approach – please check out the most recent draft of the Trump Administration cyber security Executive Order. But you cannot effectively manage for risk unless you know where your assets and vulnerabilities are, and in far too many cases, these remain mysteries for entities in the government and private sector.
At first glance, a fire hydrant sitting in the sand appears ridiculous – a prime example of government or corporate waste. We don’t know nearly enough to draw that conclusion, however, because we do not have all the data. At best we see about 25 percent of the surrounding area. It turns out, just out of view to the left is a pier and just behind is a parking lot. Does that change things? Well, maybe, but maybe not. The pier is a bare fishing pier, and we do not know either the risk of fire or the cost of replacement. We also don’t know how much it costs to put a fire hydrant in this location. So, in calculating return on investment, we do not know the numerator or the denominator. That’s not a calculation, it’s a WAG.
In an environment where both costs and benefits are uncertain, we are unquestionably putting fire hydrants on the beach. In fact, we are probably putting fire hydrants in the ocean, and we are missing sprinklers in high-rise buildings. To better secure our Internet-based services and systems, we have to do better. We have to have security science not security religion.
The mission of the Global Cyber Alliance is “Do Something. Measure It.” for this very reason. Real cyber security measurement is a journey, but we must be able to measure costs and outcomes, both on an enterprise and systemic level, to make good choices. And the need to improve measurement is also one of the best albeit implicit parts of the draft cyber security Executive Order – the idea of Cabinet secretaries making risk management reports that “document at a minimum the mitigation and acceptance choices made” should be an advance for both science and accountability.
That’s progress. In the meantime, Long Island beaches appear to have reasonably mitigated the risk of fire.
The author, Phil Reitinger, is the President and CEO of the Global Cyber Alliance. You can follow him on Twitter @CarpeDiemCyber.