I think we in Cybersecurity have largely failed to show its value to the busines over the last decades. And I think we need a completely new type of product to address it.
And before you get excited about a pitch or a product launch, I’m not interested in creating this product outside of custom implementations for my consulting customers. My reason for writing this is that I want other companies to make this. And more broadly, to pivot to this approach going forward.
But first, what’s the actual issue?
Our problem is communication. I think we are communicating the wrong things to the wrong people inside the organization. Not always, but generally.
Instead of providing an interface to the busines that makes them feel safe, and assures them that their money has been well-spent, we’re chaotically documenting the activities we’re doing for them.
If I had to capture it in a single push it would be something like:
Cybersecurity Program Products should communicate safety. The word “Security” itself is actually Latin for se—”without”, and “cura”—worry. Without worry. It’s literally the thing we’re supposed to be providing.
CPP products should provide an interface that, upon viewing them, the viewer will experience a sense of calm about the state of their customers’ and business’s data and infrastructure.
The products can’t outright say this. They have to show it through a combination of narrative and evidence presentation that invokes the feeling within the viewer.
Some ideas around components
- A focus on presenting the right level of narrative and data, at the right time, to the right people. AI (deep sigh) can of course help extensively with dynamic, audience-targeted narrative and data presentation
- An always-updated top-down narrative of the Security Program’s goals, metrics, challenges, strategies, budget, team, projects, and timelines. E.g.:
We are currently pursuing these goals, which we track by these metrics, and we’re facing these challenges, which we’re overcoming with these strategies, which is why we’re doing these projects, which is how we’re spending this budget, using this team, all of which is yielding these results…
- Clear articulation of what attackers are currently trying to do, which they can’t because we’re doing X and Y (dynamically updated with (another sigh) AI of course)
- Clear articulation of what it would likely cost if those attackers were successful (dynamically updated with data / evidence from news / industry)
- Primary use of short, clean narrative describing our state, what attackers are currently doing, and how we’re proactively and actively countering those efforts
- Clear linking of how we’re spending our money to the programs that are providing that proactive security.