Reasonable Assurance against predictable Threats

I’m privileged to have been part of the security “scene” since the late 90s and security industry since early 2000s, when I was still a teenager.

Due to this long exposure, and having had multiple types of roles including operations, engineering, penetration testing, marketing and product management, and governance, risk management and compliance, I’ve grown somewhat cynic of complexity, FUD and claims of magic or silver bullets, always looking for the simple solutions for the problems at hand.

Inspired by a Persian story, also used by Abraham Lincoln’s in a speech before he became the sixteenth President of the United States, the “mantra” of “This too shall pass away” as something that could be used in all situations, independent of context and whether things are going well or less-than-stellar for you, that I could apply to security as well.

The security industry is particularly ridden with bias, in my opinion. On the one hand, we have vendors who have been selling the silver bullets which seldom deliver on promises and as any industry which generates billions in revenue, more keep creeping up on a daily basis, much adding to confusion and uncertainty about what we really need to improve our organisation’s security game.

On the other hand, as there’s a lot of security literature out there and the industry does attract really smart people (which I’m also thankful and privileged to benefit from), I can’t help but come to the conclusion that a lot of what security professionals do is done in order to impress peers and not necessarily the needs of our constituents (the organisations we work for), and as Mr. Taleb puts it, we may end up rotting.

The natural consequence of this approach, is that our industry tends to disregard the unsexy and much needed basics in favour of more advanced approaches which our organisations may not be mature enough to consume or benefit from.

In thinking and planning a security strategy for an organisation, I personally like to think in terms of a spectrum.

To both the beneficiaries (our customers and organisations we support) and the providers and practitioners (us, the security professionals), we could do with a meme to apply to any situation or context, so a common and defendable principle and perspective is adopted to help ensure adequacy of our security strategies and efforts.

The best I could come up with, is “Reasonable Assurance against predictable threats” which is now the motto with which I engage in any work I do.

For the manager who doesn’t wish to be in the position to assert effectiveness of his access controls, “Reasonable assurance against predictable threats”.

For the executive who didn’t invest in his security capabilities required to protect digital organisations in the current threat landscape and thus not in the position to evidence due diligence, “Reasonable Assurance against predictable threats”.

For the security professional wishing to invest in the latest security toy that promises the world and beyond instead of ensuring he/she’s appropriately protected against commodity malware or ensuring accounts are removed when people leave an organisation, “Reasonable Assurance against predictable threats”.

For the security manager with no situational awareness on what is actually going on in the organisation but keeps pushing for hundreds of thousands of pounds for the piece of tech of choice, “Reasonable Assurance against predictable threats”.

This mantra is the basis on how, personally, I approach security strategy and the building of a security programme, leveraging what came before and the brilliant work of others and being only “as smart as needed” in order to move the security needle in the right direction, knowing that until you got the basics in place, you have no business for applying advanced approaches because, as John Sherwood so eloquently describes it in the SABSA framework, “your good reputation [as a security professional] will depend upon your abilities to serve the business well” and that “good security is business-led and business-serving” (Sherwood, 2005).

In the next blog posts, I will be decomposing what I mean by reasonable assurance against predictable threats in its constituent parts which will be followed by the use of Wardley mapping to identify the typical user needs for security, aligned with business drivers and aimed-for business attributes, for common executive roles such as CEO, CFO, CTO etc.

My ambition is to create and re-use some patterns which are to be released under Creative Commons licence and hopefully also improved by other security and business professionals.

Thank you for being on this journey with me.

Reference: Sherwood, John (2005). Enterprise Security Architecture A Business-Driven Approach, CRC Press