My name is KAM. In cybersecurity circles, I’m well-known for a few things. First, my ongoing work for decades publishing tools and research to combat spammers, phishers, and bad actors. Second, that I like to start cybersecurity meetings with a dad joke. Third, I constantly advise people not to let perfection get in the way of progress when trying to improve their cybersecurity posture.
Why a dad joke to start meetings? Cybersecurity is hard work with a lot of burnout. All we deal with is blocking bad actors and researching how to stop the dregs of the world. So I think that a quick bit of humor before each meeting is a great technique to help us stay connected to our humanity and add some levity.
What’s my favorite dad joke for 2022? Thanks to reddit user EugeneHarlot:
Q: What’s the internal body temperature of a tauntaun?
A: Luke warm.
Sorry to say, the jokes don’t get much better than that but the cybersecurity work is always top notch.
NOTE: If you don’t get the joke, watch The Empire Strikes Back and be prepared to groan.
Besides the major problem of finding and retaining talented staff, another key problem with cybersecurity work is that people and projects fail to get off to a start. And if they do start, they can get stuck very quickly. When looking at these issues, the cause usually comes down to the cybersecurity team and the decision makers not being on the same page. Sometimes decision makers are given too many options, sometimes they don’t understand the risks, and other times people can’t face reality so they “ostrich” and stick their head in the sand. I try to make everyone’s life better by using these two concepts to avoid projects stalling:
Concept #1 – Box your cybersecurity project using goals, timeline, and budget
Concept #2 – Give options combined with recommendations to avoid analysis paralysis
For concept #1, cybersecurity is rarely ever “complete” as it’s not a thesis that you present and finish. You are working to build a culture of cybersecurity that embraces continuous improvement and maturity. So I like to approach a project by looking at what I would do in the project owner’s shoes with the same goals, timeline, and budget:
Goals should include pain points as well as the short-term and long-term reasons for the project. I also avoid specifics about the technical solutions to avoid alignment issues. For example, I once had a customer open a ticket to order a specific toner cartridge. In fact, the order was for 1000 of them and it turned out that the customer specified the wrong toner cartridge. The toners weren’t compatible nor returnable. I lost the customer by doing exactly what they tasked us to do instead of aligning with the decision maker on the goal to get them the right toner cartridges. A hard lesson in “trust but verify” which can be very important in a cybersecurity project.
Timeline is the project owner’s expectation for the completion of the task. I could write an entire but likely very boring article about timeline problems I’ve seen. But if you approach things by working on the goal in a budget and on a timeline, it lets you better demonstrate the progress you would make under these constraints. And it might not be bad to have a small project that doesn’t get to 100% especially if it fixes a small amount of the risk, you’ve educated the decision maker, fixed some of the risk, identified some of the real-world issues, and hopefully laid the groundwork for additional work. Progress is more important than perfection!
Budget will include all the resources you may have or need such as software, hardware, staffing, and funding. And you might want to take stock of what they already have that might fit the needs of a task to help meet the budget using effectuation theory.
Using the three data points (goals/timeline/budget) will help alignment and communication. Now you can create tasks, prioritize the work, and maintain costs by “boxing” tasks within the requirements to move towards the goal and estimating how much of the risk it will reduce. This boxing also helps remove diminishing returns too. For example, 90% of the risk might be reduced with 10 hours of work. But an additional 5% of mitigation would require double the work. Perhaps mitigating 90% of the risk is an acceptable result.
So by focusing on what you can do within the goals, timeline, and budget and estimating the risk reduction each task would provide, you can demonstrate more clearly what you plan to do with the resources allocated, unstick decisions, and sometimes even get more resources.
In fact, what I’m aiming for is a project proposal or briefing that can be summarized easily with this formula: “In order to meet the goals of X, we’ve identified the risks R associated. In the timeline of Y, with the budget of Z, this is the prioritized list of N tasks and the risk reduction for each task.”
Concept #2 is much simpler. Remember you are the expert and your job is to educate, provide options, and most importantly to lead. By always highlighting your recommended options, you can really make it simpler for decision makers to follow your lead. “In your shoes, this is what I would do…,” is a great way to discuss options.
To wrap things, using these concepts, I still find too many organizations spend too much money on cybersecurity assessments. In fact, even the very best cybersecurity assessments often fail to improve an organization’s security posture because they identify too many issues, don’t give good ways to get started, and spend too much of the timeline and budget just identifying problems instead of working towards the goal of mitigating risk. Very few organizations have the staff to take a multi-hundred page cybersecurity assessment report and use it effectively
My recommendation is to limit any cybersecurity assessments for a project to a very small percentage of your timeline and budget to focus on actions that reduce risk. For example, if you budget $50K for the project over 6 months, consider limiting assessment tasks to just one week and only 5% of the budget. This avoids assessments that lead nowhere. Perfect cybersecurity is an ever moving and unattainable goal so it’s best to focus on making constant progress over time.