The Business of Cybersecurity

Thank you everyone. Uh I would like to start the business of cyber security. We'll go through these slides and uh there's a slight change last minute change but I'll I'll go through that quickly here. Just a quick agenda. We'll go through the intro introduction. What is the business of cyber security? What is the challenge? Symptoms of the challenge root causes recommendations and why address the challenges. Okay. Uh just a quick intro of myself. I started in the business uh 1999 right before year Y2K problems networking and troubleshooting uh project manager for 30 plus projects over 17 years GRC and critical infrastructure are my focus now with 12 years plus certifications are listed and I am partner and co-founder for simply

GRC based in Calgary so presentation format this is where a slight changes. This is intended for the the technical audience. I originally planned for this to be open forum so that you can interrupt any time, ask some questions and we answer and have dialogue. But uh uh I request that uh we we skip that and let me finish presentation first and then we do Q&A at the end just due to timing. Uh the slide deck will be published on our website. information presented may or may not apply to your organization. And be cautious of sharing any proprietary information if you're going to be speaking about anything. And please keep in mind there is no intent to diminish cyber security's role

in this. So uh please don't throw vegetables or rotten fruit or anything at me. um and information may be new to some but may not be new to others. Okay, so what is the business of cyber security? Here's the NIST definition. I won't run through it. I'm sure a lot of you understand what cyber security is and what it's defined as. I just wanted to put that at the for forefront. But now if we layer business on top of it, you get those three points. These are the three points I'm going to be focusing on during this discussion and this presentation. But support the organization strategy, goals and objectives as a cyber security function. Protect the prioritized assets

uh through cyber security and reduce cyber security risk for the organization. Okay. So what is the challenge? Why am I here? Why am I spending your valuable time here at Bsides? Let's start with a quick scenario. So the scenario, it's a large corporation and it owns and operates 20 endpoints includes servers and such as well, but a large percentage of those are MS Windows. Information security policy requires all critical and high security patches to be implemented within 2 days. That's our policy and this is an actual organization. Patch Tuesday activities require a high degree of coordination every month. It's um I don't know can we swear in this but it's a show. Every month success measures were or metrics were

based upon implementing the patches to all endpoints applicable endpoints that is. So does anyone really see a situation or an issue with this challenge or this scenario like what we we can come back to it but this is where I wanted the Q&A but that's okay cyber security can still operate in a silo in many organizations some it doesn't okay but some many it does and cyber security it's a valuable service but it's there to enable the business not run the business. Uh integration with the business is often overlooked and cyber security has formed its own culture without consideration to the other cultures. So this is what I've seen in many of the projects many of the

organizations. It's not the fault cyber security again that's not why I'm here. It's uh to help extend cyber security and integrate it with the business. That's why cyber security is there but still operates in in a silo. So this is the main challenge that I'm going to be focusing on. There could be many others but this is what I'll focus on for this discussion. So this is a sample GRC program governance risk and compliance. Up top you can see that you have your business impact assessment, your risk management framework, your risk assessment at the business level. But this is all within the IT and is program or department. All of these blocks, these orange blocks, they do represent their own

program. Okay? And it shows this diagram is just a sample to show the interconnections and the relationships that each program has with one another. On the left there you can see in the green cyber security and I position this just as a sample. Again it can go in many different areas depending upon culture, the structure, the leadership, whatever the case may be at that organization. But cyber security it has inputs and outputs into people process technology. has inputs and outputs into information security. There is a difference between information security and cyber security for those that don't uh believe there is but my perspective there is. But then it spins down into the strategy implementation, the program management, the project

management, uh the operations and different arms within. So this is not complete, it's not comprehensive, it's only a sample to give you context. But you can see that cyber security is part of an ecosystem. It's part of it's a subsystem, part of a larger system here. And it all works together to feed into the enterprise. On the left in the blue, those are just different departments that are samples, but there could be more. There is more, but I didn't want to blow up this uh diagram here. Symptoms of the challenge. So the problem is still stated at above. Cyber security still operates in a silo in many organizations. But symptoms of the challenge if you

were to take away these symptoms would the problem still exist? That's the way I'm defining a symptom. But here it's business processes are often restricted with cyber security requirements. A cyber solution needs to be implemented and the business must adapt. Many situations like that do happen. Um, and there's spin-off actions or reactions to that scenario, but uh, cyber security requirements may be prioritized over business requirements. Technical risks may be prioritized over business risks. We must patch because we've got a cycle and we've got a requirement of two days. If not, it's my butt. But what does the business say? Does the business say no you will interrupt my operations and it's going to have a big impact on

revenue. Many times and may many of you may have seen where the cyber security demands that it gets installed es escalates it goes to their management leadership then a lot of infighting happens right but there's a lot of business reason to not interrupt business obviously uh integrating integration with the business is often overlooked so many standards frameworks regulations they all require cyber security to support the business. Learn the context of the business, support the business goals, understand the strategy. They all start with that. Whether it's ISO 27,01, your C risk, CISA, CISOPS, um many other security related certifications, they all state that, but often it's overlooked. So, I'm just here to help remind that that's that still

exists. Um, checking the box. Unfortunately, this is a reality of the work environments we do work in. Checking the box. Yeah, we we just need to we we've been through this rodeo many times, this circus act many times. So now we're just checking it and doing what we're told. However, value could still be provided with checking the box. People in process controls are often separated which can create an isolated or point in time cyber security solution. A point in time meaning there's rework that has to happen in the future. Um isolated could mean it works for one group but not all required stakeholders that are part of the solution or that require the solution. uh people and or just read that business

units may circumvent cyber security requirements. So many of you probably know what shadow IT is. Why does it exist? Is it because the business got what they wanted and they just want more? They didn't know what they were talking about or did they get what they wanted in the first place? Shadow IT is a way for them to go around the IT departments, the cyber departments and implement the solution that they do need. So what was the value of the original solution? Why does shadow IT exist? And we'll get more into that a little later. A technical solution was implemented, but business requirements still exist. So it's a little bit with shadow IT, but technical solutions are used to define

your business or operations. Um there was a an instance where there was a power generation client and the IT/Cyber department they claimed that they ran power. They ran power because they used the tools they implemented tools that helped make the operations more efficient for power generation hydroite. And I'm looking at them like they asked me the square root of something, right? But I had to make it clear in many different ways and there were many different discussions but they do not operate the hydro equipment but they believe they did and that is part of the culture that is kind of reversed and tail wagging the dog but they had control over the systems and they thought that they could

understand the whole hydro power generation um operations and if they were included as decision makers in the operation or generation of power. That company would go sideways and the operations people would probably uh make make some stuff happen there. Uh culture clashes between departments. So that example that I just gave that does create culture clash right. Um IT and cyber they want one way they've got their own policies. They've got their own leadership. And don't get me wrong, there's office politics involved. Yes. But is there attempt to understand what the business is trying to do? And the business could be the operations, it could be a nonprofit, um could be government, whatever the case is, but uh

that's that's what I'm referring to the business and continuous exposure to increasing cyber threats and risks. Our our landscape is changing constantly, right? But it it is a challenge if cyber operates in a silo. It is a challenge if there is not unity across the business to make sure that the business and the strategy continue and continue to create revenues and fund departments like the cyber department root causes. So again this is just context. It's not necessarily saying this is your environment. It may or may not be. But these could be leadership. They may not understand the value of cyber security and what it brings to the business. So again, this is for the technical

audience. This one task is meant for the CISOs and the CIOS. It's their job to communicate and to convince their leadership. Attend to competing priorities. Everyone gets busy. Uh again, do more with less, right? There's miscommunication. This could be part of being busy. And trust the cyber security function. Listen, I'm going to give you guys a bunch of money. You guys go off, do what you need to do. Just don't make it a problem for me. So, there's different uh culture aspects of leadership or different motivations of leadership that could occur within every different organization, but it's a possible root cause. The cyber security function is not integrated with the business. So again going back to the main problem it

operates in a silo. But why mandate of cyber security function could be unclear. It's not clearly written. It's not clearly communicated or articulated for everyone within the cyber security function to operate the way they need to. Focus um on cyber security industry targets not business targets. How many times did we catch people fishing, clicking on fishing emails? That's great. It's understood and it's dangerous to an organization. But what does that statistic mean to the business? Just extend it over to the business. Continue what cyber security controls need to be done, but make it meaningful to the business. And I mentioned this earlier cyber security function acts as a business unit rather than a business enabler.

Um again the business is there to fund all the different departments and organizations but what is it doing mandating and telling the organization what to do? That's not their their uh situation and that's not their mandate. So got uh four different recommendations here and you can take these away as you will and they may or may not apply to your organization but create value through cyber security services. Here are three different ways. Use the risk management uh processes to communicate the impacted stakeholders. So what are the stats of security patches on the critical systems? an H uh Windows server that's front-facing that has the same platform version as one that's inside the organization operating power generation, let's say,

or running the plants? They both require the same patch, but which patch is more impactful? Which system is more impactful? Is there use on reporting on the webf facing one that only reports information that is tolerated to be down or what about the other one where um it's inside the plant and it's actually operating and generating revenue translate from a technical risk for let's say a man-in-the-middle attack to what information can be exfiltrated and impact the strategy. So don't just say or I suggest not to say yeah we stopped this high critical man-in-the-middle attack. What does that mean to leadership? Just extend it a little further. This man middle attack could have um exfiltrated all of your PII data

and could have and avoid a potential uh violation of the regulation if you're under one. support the automation of people and process controls, not only technology. So yes, technology is great bits and bites. It's it's automation. That's exactly why we're here. One of the many reasons why we're here. But what about the people in process controls? If someone's doing manual air gap transfer of data from one place to another and there's a risk in that area, is there a way that cyber can automate that? Right? the business. That's where the business value comes. But just totally focusing on technology and not considering the people in process, what the people do to action things to carry

things over from one team to another. If you look at it from that perspective, it can really streamline and provide value to the business. uh contribute to the assessment of positive risks and reducing opportunity costs. So do you understand what investments are earn currently implemented? Can you extend those? Can you activate some certain modules that will solve a business problem? If you understand the business problem, you can utilize existing investments and management will love it. Leadership will love it. They don't need to duplicate their costs. and how many different solutions are there all doing through the same thing but there's different instances. This is one way that you can provide value. Uh recommendation number two derive

cyber security targets from the enterprise goals. So if the enterprise goals is to go to a different nation, go to a different country, how can cyber security help that? If uh one of the objectives or risk tolerance metrics is we only tolerate one hour downtime, how will cyber security help that? Cyber security needs to support those business goals and objectives, not make new ones in isolation. Integrate cyber security into new business initiatives, functions like thirdparty asurances, cyber maturity to increased client trust and alignment with enterprise risks. Prioritize cyber resources to the high-risk areas. So going back to the example of two servers requiring the same patch, one is external, low priority, one is internal, high

priority. So prioritize the one internally. If you have to do more with less, there's scarce resources. There are ways around this. And this is what GRC does. It helps rather than lay a blanket over everything, take your blanket and put it on your focus areas. Technical priorities are important, but determine how they impact the business first. And technical risks are also important, but should not be independent of the business. Recommendation three, shift reporting focus from cyber security to the business. Learn the business language. Um, even though this is the CIO's job, the CISO's job, it's still your job to be able to understand the business that you're in. What company, what's your company's uh main strength? What are

they trying to do in the market? What are they selling? What products and services do they do they have? That is what you're protecting. Right? So shift focus from the bit from the cyber security metric saying we've stopped uh 98% of the malware and we did a great job. Okay. So what did the 2% do? Sorry to be negative but what did the 2% do? What is impactful for that 2%. And what did you protect 98% of the time? Right? So fishing metrics are essential. Again don't stop it. Cyber security is very critical. but extend the fishing metrics uh to translate to data that's meaningful to the business. So again the 982% example that I just mentioned

report how business risks reduce are reduced through business through the platform standardization or security patch levels. Yeah, it's important we got to keep up to date. Um, but is keeping our systems modernized with a support contract from the vendor truly a business impact risk? It might be then communicated that way, but it should not be independent of the business. We need to patch these because the patch is available. Well, hang on. If we do that in the OT environment, there's a lot of critical information, a lot of critical impact that can happen. You can shut down the the plants. This one oil and gas industry uh or client that I've worked at, they estimated that

one hour of downtime cost them 24 million. So, and someone can just unplug something at a critical point that did not have its redundancy. Again, where are we putting this the critical controls right? But one hour of downtime can cost 24 million of revenue. Who wants to break that to leadership's uh uh office and break the news? Nobody, right? Messenger always gets shot in that aspect. Uh shift reporting from cyber security metrics to the business applicable KPIs. Again, yeah, the uh sorry, I just read that. understand what the impacts of changes in your cyber environment are to the strategy policies operations compliance programs. Is there a compliance program that's going to potentially face a violation? And that

violation turns into millions of dollars, but that's not only what the uh executives and the leadership are interested in. They're interested in staying out of the news. There's many organizations, yeah, okay, we'll pay the million dollars, 2 million. I'm fine with that. Get me out of the news. That's the most important thing that they want. They want reputation secured. Talk in those languages. Impact to STR or uh sorry incorporate the enterprise risk metrics if they exist. So we all know leadership is already talking a lot about risk. Why does it cyber have their own risk model? Why not integrate with the enterprise and use what's already there? They don't need to create a new one.

This is how you can speak the same language and shift reporting that leadership already understands the value of creating a new one because a vendor came in and said, "No, we want to do it based on XYZ." Well, that's fine, but who's the client? Right? Recommendations for integrate into the business culture, not the reverse. Um going back to a previous point, if trust is given, that does not necessarily mean it's autonomy to do anything and everything because leadership doesn't support it or leadership won't understand or won't ask questions. All they put in the faith is does what you're doing fix the problem. If you answer yes, leadership trusts and walks away. But going back to a few examples of the

power generation, the hydro plant, you want to integrate into the business culture. Talk their language. Not require that the business understands your culture. Yeah. Okay. You've got patches due two days in two days. Critical. That's that's well understood. But I'm pretty sure your your lead will understand if the operations say that can't just got to explain it that way and say if we install this patch we're going to bring down the plants or this one function of the plant and it's going to cause an outage and these outages are reportable and these outages cost XYZ dollars. If you talk in those terms instead of we're going to break our policy, right? There's different ways to twist

it. again. Um, keep doing your cyber security magic, but add a little business flavor to it. Why address this challenge? Well, business goals and strategies, they change. So, I won't read all of that, but there's definitely many points that business changes and we should adapt. We are a support system just like finance, just like HR. We must support the enterprise. The external environment is ever changing whether it's AI, quantum computing, state actors and new governments, new battles, new wars like wars are are including cyber war now and they're ever changing too. Digital world they continue to grow bigger, stronger. Uh re relations with your leaders will improve. continuous or contribute cyber security outcomes that positively impact the

business goals directly. That's why the leaders are there. They're there to take it from point A to point B uh in the most efficient way. Work with the culture, not the reverse. Avoid unnecessary bureaucracy and uh office politics. It doesn't have to be that way. Um if if you open up to the business, trust me, the operations, the people um I've been a project manager over 30 plus projects. A lot of operations don't like project managers, right? They don't like project managers because on time, on budget, and the optics are there. However, did they provide value? and the operations many times I've seen they've uh inherited stuff had to make it work because there was an investment and they need to use

it for three years to advertise the capital XYZ but the business is suffering the operations they're struggling they're doing more with less no one's understand next guy comes along they do the same thing what's operations going to do they'll they'll tell you to pound sand in many different languages in many different ways So uh conclusion understand that cyber security is part of a larger system. Um I I'll just tell a quick joke here and there is some foul language in it. So I apologize in advance but uh one day the human body and all the or organs were having a discussion as to who's the most important. The brain stands up and goes, I am

because I'm the CPU of the whole body and whole body will not function without me. The heart goes no I am because I'm the one that puts the life throughout every part of the body. Lungs say no without me you won't get any air. So on and so on. Then all of these organs are arguing with each other and trying to debate who's the most important. And suddenly you hear this little squeak is me. It's me. and they all look around and they see it's the anus and the anus goes I'm the most important and uh the uh organs all look at them look at the anus and they laugh then they uh continue to argue so then the anus

starts to tighten up and just just not let go and just stay stay very tight the the the brain starts to pulsate the heart starts to pump faster the lungs have hard time breathing and all the organs start to have negative effects. Then everybody looks at the anus goes, "Okay, okay, let go. Loosen up. You are the most important." So the moral of that story is the is usually the most important part of an organization.

So going back to this diagram, this is each a part of an organ that's part of an a body. They all work together. And it goes even further to the left. Cyber security is not an isolated silo. It works together with everything. Uh going back to here uh cyber security must support the business as all other departments support. So imagine if marketing and finance and HR they did their own things. Imagine if they did their own things and they didn't support the business. Where would they be? Why is cyber any different? Cyber is the same. Cyber security function is responsible to understand the business and provide value added services. Uh discuss with leadership in business terms, contribute

to keeping the lights on, reduce cyber risk to the business objectives. Focus on that, right? Develop cyber security metrics that align and support the business KPIs. Um, this next statement, we've all heard it, and I'm pretty sure a lot of us have advocated it. Cyber security is everyone's job. But if it is everybody's job, why does cyber security exist as a silo? It should be merging with every business unit, with every team, and every team should understand it. But why does silos still exist if it's everybody's job? I won't answer that. I'll I'll let you ponder on it. uh continue the cyber security work again don't stop keep doing your magic but extend it further

to integrate with the business that's why I'm here and that is the slide deck so

thank you I I guess we'll open up for any questions if I don't like the I won't speak English. >> So I tend to notice in a lot of organizations the competing interests. Um finance department's told to you know make the numbers work you know save money. Sales is told you know go out and sell your you know first born you know everything to make money for the place. Security is often told you have to protect the business at all costs. you know, uh, uh, you know, part of keeping the lights on. You know, we don't want to end up in the news, as you say. But then the other departments with their interests are running around like

toddlers with a chainsaw doing what they think is is important in their um, role, but won't listen to security because security has to say no sometimes. And when we say no, it's usually in that slow motion existential kid about to stick the fork in the electrical socket. No, how do you get uh uh leadership to tell the other departments to put the chainsaw down, please? That yes, you could do your thing, but you need some guard rails there. And that's our our thing is like, okay, you want to go over there? Sure. we're going to make sure there's guardrails up so you don't fall off the side of the cliff kind of thing. How do you get the the management to uh

uh rein in the toddlers a bit in that respect? >> So, I've got two potential responses for you. One way is use the risk management framework. Use the risk talk and go through the cycles. Talk with the risk facilitator or the risk owner. go it and and run it through the risk processes. You're using the the the language and the frameworks and the authorized processes and if they don't listen to that, it's documented and it's their butts. Okay, so that's one avenue. Use the existing business leverages that you can um to change politics is a very different thing. Conflict of interest um uh self-preservation, right? competing priorities. Sure, whatever. But uh there's many ways you can say it.

The the second part of my answer, I believe this firmly, and um I always tell it to my kids. If you got choice A and choice B and you don't like either of them, make choice C. Just because you have A and B in front of you and it's presented with you, does it mean that choice C does not exist? Is there a choice D an E? Is there another way to do it? Obviously, you got to play your cards right and play within navigate throughout the cultural system appropriately so that you know you're you're not looking for a job after. But, uh, creativity is one of the most valuable assets and skills anybody can

have. It's just because two options are given to you. It doesn't mean that you have to accept those. Doesn't mean that there's another option available. Critical thinking, go draw painting, go go sculpt something, and maybe maybe something will come. Write a song, right? Build a bench. I don't know, right? But creativity will help. There's always a way.

I'm gonna go over here because he's closer. >> Wonderful presentation. Um wanted to know if sometimes you could crumb up at the risk score that will help the business understand, you know, the risks of not doing something. Let's take patching as an example. Um, sometimes it's not as easy as putting a number to it to say this is the revenue or this is the expense that you would have to work because of this data breach. Um, in those cases, what's your recommendation to actually provide that information to the business to say this is the kind of risk that you're working against? Well, there's uh it I I it's hard to give you an a silver

bullet answer, but I go back to the creativity piece and what what's impactful to that business? So that one patch, let's say, how does it impact the bit? Is it a critical asset? Is it not? um if it is within their risk capacity, what they understand as risk appetite, they should already have some of those metrics. That's why if they already exist, use them. Large corporations, they all have it. They all did the studies. They all understand what their risks are and if XYZ happens, how much impact that's going to be and how we want to streamline a response to it. Cyber can feed into that, right? Um there there's many ways and I I can't

give you the silver bullet answer without understanding more but uh really dig deep into the business. It's not a cyber security problem. It's a business problem.

>> Yeah. One one thing you brought up about two sets of risk measurement, one for cyber and one for the rest of the business and how that wasn't a good idea. I'm complete agreement. But what do you think the reason is that cyber thought they needed their own? Possibly because cyber leadership or leadership doesn't listen to cyber leadership as well as it should or vice versa. It's not being communicated as well as it should. CISOs have a very difficult job. I empathize with them. I never want to become a CISO myself. uh they need to handle a lot of alphas um male or female they need to handle the business the different business problems the external factors that are

all listed here or where is it yeah number two uh or number one and how do they protect the business from all of those because leadership doesn't care if it originates as a cyber That's cyber's responsibility. Why did they not fix it? Is it an education thing with the leadership, with the business, with understanding? I would say yes. That's definitely part of it. Every organization is different. Um, how can we as technical people, operational people, strategic people, how can we offer that time, consistent messaging, um, speak the business's language? Is there a business case that you can develop? Is there a case study? Like I modeled this presentation after a case study. Um, whenever I draw up a case study, I

always talk about these different points. It could be a two-pager and if you get it to the right person, maybe it'll hit or they can extend this and take it further, right? Um, there there's many ways. I have I I can't say what the disconnect is but I don't want to blame the business leadership only. There's a responsibility of the cyber business as well, the cyber security department. It's not a silo. And in a situation like this, it should be supporting the enterprise. Is should be supporting the enterprise, not doing their own thing. That's going to cause budget problems, priorities, people getting let go, um objectives not being done, risks becoming true. Uh, the list goes on and on. So, going back to

an example, if HR didn't support the business, going back to what you said, Brad, if they don't support the business, they're running around doing their own thing, is that a problem? Yeah. Do you want to replicate that problem? Probably not. Marketing, if they're marketing a whole product or service that doesn't apply to the business, that's a big problem. That's the equivalent of cyber doing its own thing. in my perspective. Not to say I'm right. I've been wrong two or three times in my life. So, um, take it with a grain of salt. >> Okay, I think we'll end it there. Thanks again, Bert. Thank you, everyone.