How a CISO’s Approach to Security Strategy Can Be Shaped By Philosophy

“Philosophy?” the conversation usually begins – “that’s an odd background for cybersecurity, isn’t it?”

“Funnily enough,” comes my well-rehearsed reply, “not at all”. I have been surprised how often the skills of one field can be easily applied to the other. Devising enterprise-wide risk mitigation strategies requires critical thinking and analysis of competing hypotheses, much like assessing the cogency of inductive reasoning.

Both fields also demand the practitioner set off on an impossible task. The philosopher knows that at best they will arrive at an internally consistent model that is a rough approximation of reality. In cybersecurity, as the old cliché goes, it is a matter of when your organization suffers an incident, not if.

Just as there is no single perfect approach to cybersecurity, there are myriad different schools of philosophy. Whether they know their Jeremy Bentham from their Epictetus, when there is no single ‘right’ answer to a problem a CISO can turn to some rather unconventional, but nonetheless appropriate, sources of inspiration.

Playing the numbers with utilitarianism

Why should we spend money on protecting personal data if we can buy cyber insurance? If our systems have been hit by ransomware, should we pay the ransom? These cybersecurity questions have an ethical dimension that is worth consideration. To do so we could turn to utilitarianism, a philosophical tradition founded on the principle that providing the greatest benefit to the greatest number of people is the ultimate measure of right and wrong.

In classic utilitarianism, determining the correct course of action in our two hypothetical scenarios would be a matter of assessing consequences. What are the consequences of improperly protecting our data or paying the ransom? How do we quantify this? From a program management perspective, we could reduce this solely to dollars and cents: if the cost of protecting personal data (including less-tangible costs such as reputational damage) is greater than paying higher insurance premiums and regulatory fines, then perhaps we needn’t bother.

Obviously, this is problematic. A CISO that focusses solely on maximizing immediate benefits may not recognize the longer-term harm that could result from that approach. In the same way a modern utilitarian may wish to minimize harm, rather than just maximize benefit, so too should cybersecurity leaders think past the immediate consequences of their decision-making. After all, today’s cost-effective ransom payment may well fund next year’s attacks.

Managing risk with stoicism

While most organizations have no problem identifying cybersecurity risks, issues often arise when it comes to defining the risk appetite or prioritizing remediation efforts. Whether it is securing legacy infrastructure or locking down non-compliant cloud instances, or addressing complex security issues requires consistency and persistence: these are two of the central tenets of stoicism.

Successful security strategies rely on incremental improvements across the board and cultivating a security-conscious culture, rather than hoping for a magic bullet to mitigate systemic risks overnight.

To effectively manage cybersecurity risk, we can draw inspiration from the famous Stoic philosopher and slave Epictetus, who believed the greatest goal in life was to “identify and separate matters so that I can say clearly to myself which are externals not under my control, and which have to do with the choices I actually control”. Knowing what is within your control is often a matter of good governance: defining and communicating who is accountable for what.

Understanding the externals that are outside your control is the result of knowing your threat landscape: CISOs who worry about obscure hardware vulnerabilities while the entire workforce is busy clicking phishing links are rarely effective. Without either, organizations can find themselves revisiting the same unresolved risks year after year.

The stoic CISO therefore should follow this simple mantra: know thyself, undertake regular threat modelling, and outsource the management of risks you cannot control.

Being proactive with Daoism

Wu-wei, a guiding principle for both individuals and governments in Daoism, is often translated as “effortless action” – a state of heightened situational awareness and adaptability. The Daoist text Dàodé Jīng teaches objectivity, flexibility, and self-awareness: “Knowing others is intelligence; knowing yourself is true wisdom”.

Similarly, while organizations commonly look outward to improve their security maturity, whether to new tools, publications, or threat intelligence feeds, their gaze would often be better turned inwards. Misconfiguration and human error remain primary culprits for security incidents, and are often the by-product of poor security awareness, inadequate processes, or a lack of visibility of the environment. Are your cloud instances misconfigured? Are staff accumulating privileges? How are your vendors or suppliers performing? These are some of the basic questions that should always be asked at the outset of a new cybersecurity strategy.

The constantly-shifting threat landscape means a sound strategy should resemble the fluid nature of the Dao – when business requirements or the risk environment changes, so should your approach to managing cybersecurity.

The launch of a business-critical system, the acquisition of a new entity, or the addition of a new data type are all indicators it is time to revisit your risk registers and information security management system for currency and accuracy. A CISO with Daoist leanings will therefore be both flexible and proactive in approach, deploying pre-emptive measures such as threat hunting to identify new vulnerabilities and risks as the business grows and changes.

Managing the security posture of a large organization is never a simple task. With myriad stakeholders, technologies, data types, regulatory requirements and attack vectors, your unique combination of challenges means there is no single ideal path or methodology.

We should therefore strive to always be conscious of the bigger picture – whether it’s the broader impacts of a ransom payment or the fluid nature of threat actors – to ensure our corporate posture is both fiscally and ethically sound.

What’s Hot on Infosecurity Magazine?