The following exchange describes how security architecture decisions are made in many organizations:

IT PROFESSIONAL: “We need to implement this new product or feature.”

BUSINESS LEADER: “Okay, but why?”

IT PROFESSIONAL: “Because our security consultant said we should.”

BUSINESS LEADER: “Okay, but why?”

IT PROFESSIONAL: “Because it will make us more secure”

BUSINESS LEADER: “Okay, but how?”

IT PROFESSIONAL: “Don’t you want us to be more secure?”

BUSINESS LEADER: “Yeah…”

IT PROFESSIONAL: “So, then we have to do it.”

BUSINESS LEADER: “Okay.”

Often, security decisions are made based on expert advice, best practices lists, or simply because it’s what “everyone else” is doing. The problem with this approach is that it relies on a variety of expert opinions; add varying motivations to those opinions, and you’re left with a highly inconsistent approach to your cyber defense. If we continue to make security decisions based solely on the collection of ad-hoc advice, and not take into account the context of our business, then the probability of having the many security controls across different systems working together cohesively is low.

How to make better security investment decisions

Using a well-designed process to make your security investment decisions based on your specific business needs and vulnerabilities will yield more consistent results (at least 21% more consistent according to Douglas Hubbard, the inventor of the powerful Applied Information Economics method). I highly recommend Hubbard’s book, How to Measure Anything in Cybersecurity Risk, to anyone interested in this topic.

Some of Hubbard’s research is represented in the graph below, which was presented at the RSA Conference. When 48 experts were asked to provide probabilities of six or more different types of security events, their first response did not always match up to their second. As a matter of fact, 21% of their responses were explained by inconsistency.

Your Cybersecurity Strategy Should Answer These Two Questions:

Cybersecurity is a deeply complex subject, and there’s no such thing as a one-size-fits-all solution. However, at its most basic level, a well-designed security assessment should always begin by answering these two primary questions:

1. What are we trying to protect?
2. What are we trying to protect it from?

Ideally, these questions can help you arrive at a holistic organization-wide security strategy that will drive future decisions. Tactically, these questions can help guide configuration/implementation decisions.

If you don't identify what you need to protect, you’re dramatically increasing the scope of any security-related project. As you increase the scope to address any and every potential scenario, you delay protection improvements of your most valuable assets.

In other words: increased scope = increased cost and/or longer time to protect the things that matter most

Prioritize Your Most Likely Threats First

Bad guys have their own ROI. Low cost at scale attacks (phishing) are constant and ongoing because the ROI is there. More advanced and targeted attacks require a greater investment in time and resources from the bad guys.

Raise your defenses to protect against these most common and frequent threats first. If you focus on the incidents that are as likely to happen as a bowl of petunias being yanked into existence miles above planet Magrathea… you take away valuable time and resources from defending against far more likely threats. Also, the greater your value is to the attackers, the more likely the improbable becomes.

Don’t Leave the Fate of Your Business to Chance

SCORE, offered by BDO Digital, is focused on evaluating how well an organization’s most valuable assets are protected against your most likely threats, and then defining what your future protection state should look like, as well as evaluating future decisions against this benchmark, with those assets and threats in mind.