by Richard Berkley
Contributing Editor

I’m not an accounting major; I am a finance guy…

I went to school for finance and management theory. There is probably a whole post to be written on the “theory” of management and why it remains just a lofty notion (spoiler alert: because people be people) but instead, let’s focus on the finance side.

“So, you’re an accountant?” I get asked all too frequently… well, I understand tax and double-entry concepts, I can read a balance sheet and write one from a blank sheet of paper but… no, no I am not an accountant. The difference, as I try to explain it, is one of viewpoint. Not that it is a perfect definition but accounting most often looks backward, while finance most often looks forward. It is sort of a crystal ball for the future, coupled with rational application of math and knowledge of history.

This being a cybersecurity site, allow me to make the link many may still be struggling with at this point. Security must be forward-looking. Yes, you need to understand history and what has been happening to protect against future threats – how embarrassing to get hit with a vulnerability that could have been patched last quarter? Yes, you need to understand the structures of IT and OT systems to effectively secure a network (read: you need to be able to read a balance sheet to structure a merger). But as new systems come online and the threat landscape is ever evolving, the CISO’s crystal ball needs to come into focus.

As CISO for many organizations, how do we accurately predict the next threat? How do we gauge their capabilities? How do we match their capability to our current and planned defenses? Does this information help set and shift our priorities (daily!)?

Let’s take an analog recently sent to me by our Head of Cyber Operations. In WWII, the allies studied the bullet holes on planes coming back from dog fights. The diagram of a Banshee from the US Pacific Fleet is below with the most common bullet holes found mapped on its frame. For those familiar with the story, you know the fallacy of reinforcing the places that have holes. You see, the planes that didn’t make it back got riddled with flack in the areas not covered in dots. That is to say; we should reinforce the vulnerabilities that could destroy our assets, not the areas of the irritating (and painful) but not lethal hits.

We actively monitor threat data from dozens of feeds, databases and primary sources. We are forced to match this data with the current realities of a system’s security maturity. When something pops up that may take down assets, that is the time to spring into action and reinforce.

We rely on the past to predict the future. Some might say there is no better source of data. Still, security is an exercise in looking forward, making best-guess predictions, and being wired to shuffle priorities more often than most find comfortable.

Leave a Reply

Your email address will not be published. Required fields are marked *