Binary thinking is death in cybersecurity.

This is especially a problem for non-technical business leaders trying to evaluate the effectiveness of a security program, and assess security budgets.

“You're chasing ghosts” I've heard people say in my career.

In other words: “Nothing bad is happening, why should we think anything bad will happen?”

It’s not raining, why should I fix the hole in my roof?

I’ve been driving my whole life without a seatbelt, why should I start now?

My house has never burned down. Why should I change the batteries in my smoke detector?

But managing risk means holding multiple possible futures in your mind at the same time. Futures with unknown probabilities. There is the future perfect and the futures imperfect. Security risk management guards against the futures imperfect and seeks to reduce the likelihood and impact of those imperfect states taking place.

How do we know if we are reducing that risk?

Since we don’t have the data to crunch the numbers, the most meaningful metric becomes measuring how difficult we are making an attacker’s life.

To give an obvious example: Want to stop phishing? Mandate Yubikey FIDO 2FA, and do some employee security awareness training. Monitor and alert on potential malware on employee devices.

I state the obvious but sometimes the best things to state are the obvious things.

How do you know if you are making an attacker’s life more difficult? By listening to the qualitative professional judgment of the experienced security professionals in your employ.

(Yes, I know you want numbers but as I have written about ad nauseum at this point, quantitative risk metrics (so-called “Cyber Risk Quantification”) are useless when dealing with active adversaries, especially targeted attacks by nation-states.)

What happens when you engage in binary security thinking? You collapse the problem space into a zero-risk assumption that the future will be exactly like the present, and that nothing bad will ever happen.

Known known risks? It’ll never happen. Known unknown risks? Handwavy nonsense. Unknown unknown risks? Now you’re really chasing ghosts.

Sympathy with attackers—the ability to see yourself through their eyes—is vital to playing defense well. And that includes attackers both internal and external. (If internal adversaries, through their ignorance, harm your employer’s security posture, then that’s a risk you have to address as well.)

How do then defend against such internal adversaries?

That’s a harder challenge even than defending against attacks by organized crime or nation-states.

Oftentimes people who think in terms of binary security are unable or unwilling to check their assumptions or re-evaluate their thinking.

Then you’re forced to walk the escalation ladder and flex the chain of command in hopes that someone higher up will understand the risk and choose to address it.

Security governance is fundamentally about enforcing certain security practices company-wide. And the larger the company, the less persuasion works and the more “because I said so” becomes the only path to organizing people.

That is unfortunate, because it tends to wind up in the Kafkaesque nightmare that big banks frequently experience of vast amounts of inexplicable red tape that makes everyone’s life hell.

You can govern well or you can govern poorly. Bad governance does not mean the concept of governance is a bad one—only that the government/management of the day is bad.

That means governing well becomes part of the job as CISO. You can, of course, choose to abdicate that responsibility—but that is also a governance choice, and a bad one at that.