Connecting state and local government leaders
Agencies can better align their cybersecurity and business priorities when they have affordable risk management solutions that deliver measurable results.
Most organizations take a reactive approach to cybersecurity, but a better way is to focus on outcomes, a new survey report shows.
Sixty percent of respondents said their organizations react to individual cyber issues, but 83% are interested in, planning to adopt or expanding their adoption of outcome-based security solutions. Those approaches “simplify cybersecurity by cultivating only those capabilities that measurably deliver their desired outcomes as opposed to traditional threat, activity-based, or [return on investment]-based methods,” according to “The Value of Putting Security Outcomes First,” a report by Forrester Consulting commissioned by security firm WithSecure.
Experts agree that outcome-based security is beneficial. “To me, outcome-based cybersecurity is really focusing our attention on achievement, rather than dogmatically on the parts of the stuff that got us there,” said Matt Butkovic, technical director of the Cyber Risk and Resilience Assurance Directorate in the CERT Division of the Carnegie Mellon University Software Engineering Institute. “To answer the question ‘Did we achieve our outcome?’ you have to have a system of measure … to express the completeness of what you’ve done, which is different than, ‘OK, there’s 14 somethings. Have we done all 14 of those things?’”
As an example of how outcome-based security might work, he pointed to the Sarbanes-Oxley Act of 2002, which required public companies to develop controls for better financial tracking.
“The way you got there was left up to you,” Butkovic said. “It was a slight change in mindset, going from ‘this is the specific steps A through Z’ to ‘as long as we get to Z, we can skip M and L in a risk-informed way. We know that’s OK.’”
For state and local governments, it might look like this: A water treatment plant needs to ensure only people with proper authorization can adjust the mix of chemicals for purifying water. That is the outcome, so officials need to determine the cybersecurity controls to achieve it, Butkovic said.
To adopt outcome-based cybersecurity, agencies must first understand their risk tolerance and current risk management practices, said Kevin Jackson, chief executive officer at Level 6 Cybersecurity. The company created a data analytics service that would enable public-sector organizations to see what security approaches have worked for other organizations of similar size and complexity.
One of the 23 cybersecurity strategy domains that the analytics engine measures is risk management. “You get areas where your strategies are at risk because perhaps you are implementing strategies that are not optimal, simply because you don’t have the resources or because for one reason or another, that’s not the choices you made,” Jackson said of the analysis. It “tells that city manager or that state-level [chief information officer] or [chief information security officer], ‘Here’s what actually has produced the best results for the dollar for organizations like yours.’”
Outcome-based cybersecurity allows for better alignment between an agency’s cybersecurity priorities and goals or business outcomes, according to the Forrester report—something only one in five respondents said their organization has. An inability to capture meaningful data to understand cybersecurity maturity and use it to measure the progress of business outcomes is a main contributor to this misalignment, the report states.
Shifting to outcome-based cybersecurity doesn’t mean throwing out existing approaches, just adjusting them. “It’s far easier to compare yourself against a very circumscribed checklist than it is to ask in an open-ended way, ‘Did we achieve our outcome?’” Butkovic said. “Rather than starting with the checklist, start with, ‘What are the things we want to happen or not happen?’ Those are the outcomes, and you work backwards from there.”
To begin using outcome-based cybersecurity, Jackson said the first steps are to identify who the decision-makers are and set up parameters for roles and responsibilities. Next, agencies should determine the value of the approach—a key component for funding-strapped agencies. Artificial intelligence can help by analyzing what would maximize limited budgets, he added.
Security managers must also understand that the way they evaluate outcomes and risks needs to change along with new threats and technology, Butkovic said.
“In the not-too-distant future, we’re going to need to take on post-quantum encryption as a concern,” he said. “We need to understand that [threat] should modify our assumptions about the outcome and will certainly modify the way we evaluate ourselves…. You’ve got to refresh the things that go in the hopper that allow you to make these determinations.”
Stephanie Kanowitz is a freelance writer based in northern Virginia.