March 23, 2023

A Market Waiting to Happen?

iStock 696806868

To follow up on my post earlier this week, here’s a great statement by Brie Entel in her recent SANS article, “The New Financial Metric for Cybersecurity.”

This change starts at the top. Chief Information Security Officers (CISOs) need to change their mindset that cybersecurity is a cost center, and instead view it as a profit center. As a cost center, cybersecurity is seen as overhead. Your budget is to be managed as part of the cost of doing business. Shifting to a profit center mentality, cybersecurity becomes a business driver – accountable both for spending and growth, or more specifically, savings through risk mitigation.”

I’d open that statement up to everyone in the org, not just the CISO. Changing your mindset can happen in a moment of realization, and when backed with data and communicated clearly, it can quickly spread to other minds.

It might surprise you, but the data is out there to support the organizational change needed to address the growing cyber threat; it just needs to be stitched together. How do I know? Someone else made a compelling case that opened doors in my mind and in a moment changed my mental model…

In January 2021 I happened to attend a MITRE ATT&CKcon Power Hour session entitled, Measure What Matters: How to Use ATT&CK to Do the Right Things in the Right Order. This focused on using threat intelligence (TI) data and ATT&CK to compare projects and to determine where you can get the best ROI.

As I watched, I recognized Daniel Wyleczuk-Stern, a Senior Security Engineer from Snowflake was on to something. He was focused on improving decision making in the security org, but I realized his approach could be the common ground that has been missing in whole-of-business conversations.

We can take his approach a step further by using the large body of publicly available security and TI data to understand how decisions impact resource allocation, the assignment of business value, the resulting CAPEX & OPEX costs and actually bring some color to the formerly gray area between the top and bottom lines. We can bring the tools and mechanisms of business management to security and risk management to bridge the gap and become the foundation of a common language for both. Hmmm, just thinking about this makes me want to go build something…. Any takers?

RockITekAbout RockITek, LLC| RockITek is a progressive Technology Partner + Enterprise Distributor to manufacturers of revolutionary technologies that have the potential to impact the world. We thrive at solving problems faced by the thousands of Independent Software Vendors (ISVs) with trailblazing software capabilities being marketed across a variety of markets.Our unique approach rapidly matures and continuously maintains the security of your SaaS to US government standards; automates cloud marketplace(s) and enterprise transactions from purchase to deployment to payment; and creates an enabling ecosystem for continuous growth for all partners. We are a small business (NAICS 541519) with a GSA Federal Supply Schedule 47QTCA19D0085.

Tags

Adversarial Noise AWS Business Models CMMC Criminal Investigation Critical Infrastructure CUI Cyber-Kinetic Attack Cyber Criminals CyberOps CyberSecurity Dark Web Data Classification Data Protection Data Security Defense Industrial Base DoD Encryption Fingerprint Analysis Goverment HDRI Image Format Support KartaVision Mental Models Native Video Support Photon Predictive Threat Intelligence Principles Ransomware Attack Reverse Image Search Supply Chain The Elephant Zero Trust