Using the idea that within other crafts lie the keys to making InfoSec a mature and fully developed craft, I thought I would pivot away from my law enforcement background and instead take a look from a business prospective.
But why me? I do own a coin operated laundromat. Seriously, I do. And by the way, free dryer sheets with a $2 in-store purchase during the month of December if you mention this blog. I know, Entrepreneur of the Year, right? Yes, there are infinitely more qualified corporate experts with a business perspective of the challenges associated with Information Security; but a common lens does not always render a common view. As the owner of a coin operated laundromat, army ranger and homicide detective, Bill Gates and I are not going to see the same things when wearing the same glasses.
My view will be simplistic and derived from experiences in other fields. My business view will also not be cluttered with the Fortune 500 realities of quarterly stock value, market share, multi-billion dollar mergers, corporate legal compliance, CEO succession and other such “noise.”
InfoSec’s mission should be to enable those on the front lines of the War on Information Security to detect and deter attacks more effectively. The goal is to reduce the noise produced by current industry tools and allow the average analyst to work smarter, not harder.
That sounds like a great tactical level plan, but what about a more strategic plan? Maybe we should be looking at disrupting the enemy’s business model. Yes, the bad guys have business plans or at a minimum, a good facsimiles there of. Proof? Really? It should not take an MBA, a corporate retreat and a huge allocation of R&D capital to realize the bad guys are having their way with our data. Year over year, the cyber criminals of the world have out performed the Fortune 500s in the InfoSec sector hands down.
And how is it the bad guys are having such great success? They are planning and executing against modern business paradigms. Global business techniques, tactics and procedures are not proprietary to legal corporate entities. Nigerian Fraudsters and Romanian Mobsters may not be using the same corporate words du jour, but they do use competitive intelligence; leverage crowd sourcing; build innovative and entrepreneurial teams; utilize lean organizations; execute agile operations; manage risk; and use strategic thinking and organizational learning as part of their future-oriented planning processes.
They have all the power and resources of corporate America, minus the legal and ethical constraints. In other words, the bad guys are game changers. They are smarter, faster, better. They have aligned their “why” with their mission and purpose. They’re executing SunTzu’s Art of War to exacting measures. They have gone from good to great. In 2014, The Center for Strategic and International Studies calculated that cybercrime was responsible for a $400 Billion dollar loss to the global economy. That collectively would put the bad guys in about the number two spot on the Fortune 500.
Can one iteration of software updated with new functions produce a world in which hackers live in fear of being compromised? Can we force those of opposing beliefs and values to acquiesce to the will of our software? No. Can InfoSec dismantle “them” as if targeting a complex criminal organization like the FBI would with wire-taps, satellite surveillance and thirty-year prison sentences? No. Can InfoSec banish and dismantle the bad guys any more then Microsoft, Apple and Samsung can dismantle and remove each other from existence? No.
Can we render their current business model unsustainable? Yes. Can limit their SWOT “opportunities” and maximize their “threats”? Yes. Can we innovate faster? Yes. Can we disrupt their supply chain? Yes. Can we force the bad guys to make decisions using less facts and more assumptions whereby degrading their effectiveness? Yes. Can we collectively find ways to facilitate wins across the tactical, operational and strategic lines of effort? Again, I say yes, but it starts with looking beyond just the tactical business win. The priority has to be to operationalize and mature the craft of Information Security, develop global corporate partnerships and execute strategic initiatives that result in cybercrime being an unsustainable business practice.
I propose we apply our collective American business intelligence and commit to building a safe and secure cyber environment that is free of fear and incidents of crime. Somewhere within the definition of Corporate Governance lays the word “Community”. We need to step back from quarterly earnings and stock values long enough to make our global cyber community a better place. I slog it out in the streets every day. You slog it out in the C-Suite everyday. What do you say we take some of that fancy corporate collaboration and start puttin’ a beatin’ on the bad guys?