In American military circles, there exists a term “embrace the suck”. It means to consciously recognize and accept that something will be extremely unpleasant so as to not let it discourage from pursuing the best path to success. It is often characterized as a situation that is misleadingly easy in appearance from an outsider’s view, but extraordinarily difficult in practice. It forces operators to optimize their situation, knowing it will never be comfortable, and pushing through anyway. With this mindset, professionals are driven to follow the best path, fully knowing it will be very difficult, and not concede to find the less productive but easier course.
For cybersecurity, measuring our value is this friction that we must contend with. The effort to do it right and achieve sufficient accuracy simply ‘sucks’ to accomplish. But without showcasing value, investment and empowerment will wither, thereby undermining the security organization’s capabilities to protect and enable the business.
Calculating security value is an extraordinarily difficult ask that unfortunately dissuades many leaders. They often pursue a theatrical path of flaming fears and doubts, or disregard the exercise altogether and attempt to operate without a clear picture of justification. Such fear and ignorance will suffice for some time, but ultimately bites back in painful ways.
Accurate portrayals of value are foundational in establishing a sustainable strategy that aligns with the goals of the overarching organization. It reveals a goldilocks zone where investment and empowerment are not too little and not too burdensome.
The cybersecurity industry must take on the struggle, knowing toil will never fully go away, and work to reduce the friction We must shed our anxieties and forego the illusionary poor-excuses of value couched in fear, in order to better convey meaningful cybersecurity investment.
The whole keynote presentation is available: https://www.youtube.com/watch?v=VQ31V-lVsKA&list=PLkMjG1Mo4pKKjDFBtB2JZJ9OtKA_QSYBV