A few months before I joined Forrester in 2015, I found a blog that introduced a new incident response (IR) metric written by @rickhholland: “Introducing A New Incident Response Metric: Mean Time Before CEO Apologizes (MTBCA).” Rick introduced this — not exactly tongue-in-cheek metric for IR – because the playbook was so familiar. Get breached, release a serious apology video, and move on.
This blog stood out as I went through the interview process at Forrester, and I remember thinking, “Wow. I have to do stuff like that? No pressure.” Rick was instrumental in me joining Forrester, and he still acts as a mentor and sounding board for research ideas even now in his CISO role. I can finally cross this one off my bucket list, as I’m going to introduce a new metric based on recent post-breach response behavior: “Mean Time Before Management Scapegoats Someone.”
- Mean Time Before Management Scapegoats Someone: This is a post-breach metric that captures the average amount of time before the senior leader of a firm publicly announces that the “real” cause of a breach is a lowly staffer far, far down on the corporate ladder. This metric tells the story of an “accountability shift.” The senior leaders of firms included in this calculation proudly announce, “Of course we didn’t allow this; we have fiduciary responsibility to shareholders. A lowly ’employee’ or ‘intern’ caused all this.” Not us. Not our culture, incentives, organizational structure, focus, and blatant disregard for security issues.
We put together a few other IR metrics that security pros can consider:
- Mean Time Before They Were Right Once: This is a metric that makes actionable the common saying in cybersecurity that “attackers only have to be right once.” Think of it as “left of boom for MTTD and MTTR.”
- Mean Time Before Announcing The Attack’s Sophistication: This is a metric to track how quickly your company says that the successful intrusion was undoubtedly the work of sophisticated threat actors. This metric ignores the fact that the intrusion’s root cause was reused end-user credentials with zero multifactor authentication in place and no malware whatsoever.
Sure, the above paragraphs and metrics ooze sarcasm and disdain — I don’t do subtle. Procedural failures occur, and causes of those mistakes matter. Good faith root cause analysis efforts will identify those failures and recommend corrective action.
These senior leaders in positions of responsibility and accountability announcing that, yes, they ignored security and now while suffering the consequences have decided to place the blame squarely on the shoulders of people just trying to do their jobs without organizational support. This ignores decades of research on human error and complex systems — including corporate organizational structure and processes. If academic research is too boring for you, “MASH” the movie covered the same topic when Captain Duke Forrest said of fellow surgeon Frank Burns, “Every time a patient croaks on him, he says it’s ‘God’s will’ or somebody else’s fault.”
When CEOs scapegoat interns and admins, they really announce issues with policy, process, and accountability. Process and policy issues allowed the intern or admin to take those actions; oversight issues failed to identify actions that ignored process and policy and accountability issues because “We succeed together, but we fail alone” is not exactly a great way to manage and will lead to toxic corporate culture, which will likely result in toxic security culture. Leaders at these companies failed their stakeholders, not the employees and interns who work for them.
Perhaps not blaming employees and interns for failures in management would also help alleviate the cybersecurity staffing shortage firms face. Perhaps this will blow over and we will see a new metric, “Mean Time Before CEO Acknowledges Security Failures,” where leaders recognize that these statements highlight failures of leadership, not individuals. As Jon Taffer of Bar Rescue fame would say, “You need to own your failure, and then you will own your success.”
Learn how to get this right based on existing research from the security and risk team:
Some real security metrics: “Remove The Mystery From Security Metrics”
Good post-breach behavior: “How To Rebuild Customer Trust After A Data Breach”
Solve your staffing shortage: “Reverse Cybersecurity’s Self-Inflicted Staffing Shortage”
Keep cybersecurity talent: “Maintain Your Security Edge: Develop And Retain Cybersecurity Talent“