100 coins: an exercise in trade-offs.
National security offsite deliberations, as described by Phil Quade (CISO, Fortinet, but retired from a senior position at NSA) use a "100 Coins" exercise as an aid to thinking about force planning and resource allocation. Suppose you had, explained, two-hundred-forty-five things you might wish to buy, but only one-hundred coins to spend. What would you choose to buy, and why? He put three security executives though this drill on March 7th, 2018—Nick Shevelyov (CSO, Silicon Valley Bank), Mo Katibeh (CMO, AT&T Business), Pete Gouldmann (Enterprise Risk Officer for Cyber, US State Department), and Jay Gonzales (CISO, Samsung Semiconductor). While they came up with different patterns of expenditure (too long and complex to reproduce here) they offered the following observations on how they thought through the Hundred Coins problem.
Katibeh categorized products or services as falling into prevention, detection, or response. From an assumed perspective of a smaller business (AT&T is of course a big business, but it serves many small business customers) he thought he would spend fifty on prevention, forty-five on detection, and five on response. He emphasized the importance of buying tools that fit your enterprise stack, as opposed to simply going for the most expensive and capable tools. To Quade's question, what enduring problems do you see, problems that you can't simply spend your way out of, Katibeh answered, "No matter what you do, your people will click on the bad link, attachment, place. And it's getting worse." Thus the last twenty percent, he thought, would always be going to the end user. Quade characterized this result as saying the wetware was failing, not the software or hardware.
Gouldmann, answering the same question, agreed generally with Katibeh. He said he believed strongly in governance, risk, and compliance, and in the need to compensate for human weakness by risk management. He also looked for solutions that lent themselves to being managed together, not in silos.
The shopping list the exercised posed, Katibeh said, assumes you know what approach you should be taking on cyber, but of course you may not. Some sort of cyber consulting might be a useful starting point, so you can understand where to start. And this might particularly help a small business.
Shevelyov thought time and attention devoted to understanding your technology debt load would be well spent. "Cleaning that up solves for a lot of ailments." Quade glossed this as reducing your attack surface by aging out your legacy systems, a characterization Shevelyov agreed with. He also advised taking steps to improve your digital hygiene.
The high-risk, high-potential-gain items on the list? The panel suggested data science, data analytics, and automation fit that description.