The Goal of Cybersecurity
Looking in from the outside, cybersecurity is a confusing space. If we’re being honest, it’s not that clear within the community either.
There is a relentless focus on that latest attack, zero-day (a previously unknown) vulnerabilities, and an obsession with phishing attacks. Cybersecurity is massively important to our digital world and yet, it’s often misunderstood.
Ask one hundred people what the goal of cybersecurity is and you’ll get one hundred variants on the same answer, “To stop hackers”. And what they really mean by this is that it’s security’s job to stop cybercriminals from impacting the organization.
This isn’t a bad goal. But how do you prove that something hasn’t happened?
Let’s imagine that your job was to protect a large amount of cash in a physical vault. If your boss asked if you were doing a good job, you could point to the money in the vault as proof that you had accomplished your goal.
Things don’t work like that in the digital world.
If a cybercriminals steals your organizations data, the organization still has a copy of it. Only in the rare instances where an attack is destructive do you actually lose the data.
This is why ransomware is so shocking to most organizations that get hit by it. They have been evaluating security as a negative (stopping cybercriminals) and don’t have an accurate picture of their security posture.
When a cybercriminal then blocks their access to data and ransoms that access back to them, it’s a complete shock.
This is just one of the reasons why “stopping hackers” is a bad goal.
There’s More to It
The true issue with that narrow goal is that it reduces the effectiveness of your security team. Security designs and controls can help build resilient systems.
Technology breaks or at the very least, it operates unpredictably with an ironic level of predictability.
Security practices can help to reduce these issues and prevent people from making simple mistakes. Yes, stopping cybercriminals is a critical activity but it’s a byproduct of other activities that security should focus on.
If you build well, your build securely.
A more practical goal for cybersecurity is this; Make sure that systems work as intended and only as intended
This goal is much broader and requires collaboration with other parts of the organization. No more working in isolation just waiting for those cybercriminals.
This goal expands the builder’s definition of done. Most teams see something as done when it achieves it’s stated goal, has some tests associated with it, and is documented.
So if a service is supposed to generate TPS reports, when it generates those reports and has some tests to prove it and documentation to explain it, it’s done.
The cybersecurity view is that it’s done when you do your best to make sure that it only generates TPS reports.
That might seem like it’s splitting hairs but it’s a critical difference. Security issues are code quality and systems quality failures. If you expand your definition of done, you’ll be building better…and be a straight shooter with upper management written all over you.