I was recently asked why there has been a spike in incident alerts during the current month.
As I gave my answer, I noticed that I was focusing on the reasons behind “why” the numbers had risen and it became apparent to me that when I explain risks, I tend to focus on the motive of why a risk might occur.
I believe this is due to my way of thinking. Even when speaking or asking someone to do something, I focus on “what’s in it for them,” because I believe that ultimately, most people need to be motivated before they act. There has to be a reason behind all things and if we understand the reason, we can address the means and the opportunities that leave that motive an actionable possibility.
When a crime is committed and is assessed at trial, the prosecutor is asked to provide the means, the motive and the opportunity of the suspected of committing the offense. The ability of someone to commit a crime is the means. The reason someone commits a crime is the motive. The chance or availability of resources for the crime to be carried out is the opportunity.
This is how as CISOs we think about risks and how to address them. It does not mean that one way of thinking is better, because to be fully effective, you have to consider all three factors but all will default to one of the other two. If you are a CISO, the question is: are you a means, motive or opportunity CISO?
The “Means” CISO
If you are a CISO that focuses on the “means” of a risk, you are most likely a highly technical CISO with a strong technical foundation and background. Your mind will tend to immediately think of the “how” an attack would be carried out. You will gravitate to the technical means by which an attack would, or could happen. Your approach will focus on the tools and processes that can be used to protect against the means. If you tie that back to the five areas of NIST, your main wheel house, or where you like to focus, will be on the “protect and detect” areas. This is a very important area on which to focus, because if someone has motive and opportunity but no means with which to carry out their crime, you have to ask yourself, would the attack even happen?
The “Motive” CISO
Where there is a will, there will always be a way. This is the way the “motive” CISO will think. This type of mind will focus on the why an attack might happen. A CISO who prefers to focus on the “why,” will concentrate of the psychology of an attack. This person focuses on the identify area of NIST model. They will look at each possible “why” and will then determine the means and opportunity in order to protect, detect or respond to such an attack. This individual usually believes there is no possible way to know every method or opportunity, so instead of attempting to stop it all, stop what is most likely based on what would be the most likely reason for an attack to be carried out. If you understand the why, then you will see how someone would be able to orchestrate an attack and block their ability to do so.
The “Opportunity” CISO
When a door closes, someone else opens a window. This is the mindset of the “opportunity” CISO. This type of security leader will focus on the idea that there is more than one way to skin a cat. They will focus on the risks that lie not only within in their own purview and control, but on those that lay beyond. The focus will be on the availability of all resources at the disposal of the attacker. This CISO will focus on the respond and recover of other organizations in order to ensure they are collecting all the data on the various available resources or opportunities for an attack. They draw from the experience of others and apply those to narrow down the available resources that may be used in an attack. Take away someone’s opportunity to do bad and they will do no harm.
The Perfect Defense
In reality, there is no perfect crime and conversely, there is no perfect defense. All three factors must be considered when developing a security strategy and a CISO must focus on all three. It is important to self-identify as a security leader which is your preferred, or default focus of a risk, because you can then identify where you need staff to fill in or focus on the other two. It’s like a triangle. There is no correct or wrong angle to look at it. A seasoned CISO will be able to see and identify all three facets in the design of their strategy. They will be able to articulate how the program addresses means, motive and opportunity in realistic and actionable terms and ways.
One focus is not better than the other, they are all equally important. It is merely a way to think and identify the way you prefer to first look at a risk.