Translating Security For Small Business
This week is Black Hat — the annual Hacker Summer Camp, as many folks call it. And this year is the first year in 14 years I haven’t been there. This year, I intentionally took an opportunity to punt on Hacker Summer Camp. Why? I had an invite to speak to a group of small-business owners about cybersecurity. Typically we don’t see or hear about, or in truth spend much time thinking about, small businesses and how they can address the topic of cybersecurity. I was really excited to chat with these folks about the ins and outs of good cybersecurity practices and figure out how they were working to fix their own cybersecurity posturing.
After I gave my speech, the typical “keep it real” in cyberspeech I have given a hundred times by now (and yes, the naked motorcycle guy was in my slides), it was time to listen to a few panels of different small-company CEOs and leaders about how they were working to enable cybersecurity. And that’s when I felt like I was about to have a full-on stroke.
I listened to panel after panel talk about the difficulty they had translating security to their business needs. I heard from the folks on the panel that their workforce didn’t “like” security and that they had issues with implementing security controls across their organization. The actual tone that came from the people running these small businesses when it came to implementing security was really one of “Unless I see a raging volcanic inferno, there is no fire. It’s just smoke.”
These small businesses didn’t “speak” security. Most of them had no CISO, and few, if any, had any dedicated security personnel on staff. If anything, it was usually the person running the network that was tasked with security. I thought I had to try to see if there was a different way to translate the necessity of a sound security strategy to the employees and leaders in these companies, so I sat down and chatted with a few of their leadership.
Me: Your company sells a product or service, correct?
Them: Yes.
Me: OK, well, when you sell something, do you just walk into the sales team area and holler “Go sell this” and go away and hope they are on top of it?
Them: No, that won’t work. We hire a sales lead and make sure they have the tools and know how to make sales happen.
Me: OK, good. So in sales, you basically find a sales leader, you empower them, you let them set the strategy, they choose tools and technologies that enable that strategy, and then they go forward and conquer and use specific metrics all along the way to prove their strategy is working, correct? And you don’t let an employee stop you from achieving your goals because they have an issue with your strategy or some technology you have chosen to enable your business outcomes, right?
Them: Pretty much.
Me: So, guess what? In security, it’s not that different. You need to follow that same approach for security, and that’s how you better secure your enterprise. I would suggest leveraging a strategy like Zero Trust, but y’all need to pick something and start moving forward. You can’t afford to wait. Do those same things. Pick a leader or, if you can’t find/afford one, a third party to run things. Choose a strategy that aligns with your future state and goals, empower them to do things, choose technologies that enable that chosen strategy, track progress with metrics, and keep moving on like that forever. And don’t let your employees deter or degrade your approach; you have to be secure to do business today, just like you have to succeed in sales to stay afloat.
Them: Huh. It makes sense when I think about it that way.
Me: Cool beans. Let me know if I can help y’all dial in on that strategy. I know somewhere with a decade’s worth of material to guide your future decisions (wink, wink).
I don’t think this was a real watershed moment, nor do I think that instantly every one of those small businesses will adopt the strategic approach I suggested and suddenly be Zero Trusty. But I do think that they got the point. I genuinely felt that a light bulb had been illuminated and that, while the approach to security seemed orthogonal to their way of doing business, when you relate it to something they understand soup to nuts, bingo.
Would I have rather been at Hacker Summer Camp? Yeah. But it’s nothing new to talk security with folks who are already steeped in the topic; it’s a potential game-changer when those who aren’t security pros suddenly seem to get the value of a security strategy.