This edition of The Future of Cybersecurity Newsletter by Sean Martin draws a parallel between cybersecurity in businesses and "The Truman Show," highlighting the transformative impact of embedding cybersecurity into core business strategies. It discusses the challenges and potential of redefining traditional cybersecurity roles to foster innovation, enhance efficiency, and gain a competitive edge.
Let TAPE3 read this edition of the newsletter to you 🎧 🤖 ⇩
During a recent podcast I recorded with Paul McCarty talking about 'Red Teaming the Software Supply Chain,' I was struck by an idea I had that likened the state of cybersecurity teams to Truman Burbank's experience in 'The Truman Show.' Much like Truman, portrayed by Jim Carrey, who remains oblivious to his life being a manufactured reality, cybersecurity teams often find themselves in a similar state of isolation within their organizations, maintaining their own sense of reality, often driven by threats and attacks. This isolation isn’t merely a barrier to their effectiveness; it profoundly impacts the broader business landscape in ways that are often overlooked, misunderstood, or underappreciated.
The first major impact of this isolation is a scenario where security teams, left in the dark, find themselves constantly scrambling — in many cases, burning out. They're tasked with bolstering the security of other departments and responding to a barrage of emergent threats. They succeed in this game of cat-and-mouse until they don’t. This reactive stance, which I pose to you, stems from their exclusion from pivotal business discussions and decisions and curtails their ability to foresee risks and deploy proactive defenses.
Rather than being proactive contributors to the strategic planning process, they are often relegated to a reactive role, left to address problems only when they've already surfaced. Maybe, as a naive way to suggest they are getting ahead of the risk a little bit, they are expected to build teams to patch the issues the business introduced into the operations through the selection of specific systems, the selection and development of certain applications and unchecked use open source components, and the unwieldy maze of business workflows with no schematic and plenty of places for business logic attacks to strike. While this might not be surprising to those within a cybersecurity role, it's a perspective that business leaders and executive teams may not fully grasp.
I posit that this isn’t a problem to be acknowledged and set aside; it’s a fundamental issue that needs addressing — perhaps by tackling it from a different angle, which is the crux of what I aim to convey in this article.
This isolation not only impacts security team operations but also significantly impedes their ability to convey their value back to the business effectively. This communication barrier makes it challenging to secure the necessary funding, acquire proper training, take the time to prepare the playbooks, and organize the collaborative teams to practice the tabletop exercises (which should include 3rd party vendors and service providers they rely upon, mind you). It hinders their ability to deliver marked value to the organization. In many cases, if the tangible value isn’t readily apparent, teams might resort to constructing common metrics and reports based on their activities and translating them for business consumption rather than on the actual or potential impact they have had on the business.
For instance, in a siloed setup, their achievements and contributions are often narrowly interpreted, focusing on specific actions and outputs rather than on the broader impact on business objectives. Measures like "How many critical patches were deployed last week?" and "What MTTx (mean time to detect, respond, etc.) measures did the team achieve?" are vital for security operations management. However, while they might loosely tie back to risk and operations, they often lack weight when it comes to demonstrating real business value.
This skewed perception relegates the security function to being seen more as a cost center than as a vital contributor to the business’s success. However, this post is not just a critique of the maturity of security programs and their (in)ability to demonstrate value for and beyond their core function. Rather, it aims to redirect focus towards how businesses can better define the role and objectives of their security teams in alignment with the value they are expected to create or enable for the company. Or, more pointedly, to recalibrate the business's expectation of their cybersecurity team.
More critically, from my perspective, is the significant opportunity lost when cybersecurity teams remain isolated and relegated to only look at security for security's sake. This separation means that businesses miss out on vital insights that could fundamentally reshape not only their security strategies but also their overall business strategies. The input from cybersecurity teams has the potential to transform business objectives and goals, promoting a security-first approach. I am talking way more than security is included as a "function" in the business. Rather, I am referring to the idea that security is a "feature" of the business. Just like we look at customer satisfaction data, and sales data, and marketing data, and financial data — and so on — we should be looking at, yep, you guessed it, security data.
What's the potential outcome? To start, we might see the identification of enhanced products and services that a company can offer that tap into the power of a strong security program, thereby gaining a competitive edge. Or it might entail a holistic view of internal and external operations — encompassing employees, partners, and customers — to understand where a platform engineering model could be implemented to support the entirety of the business. Such a model would provide common services across the organization, embedding improved security capabilities from the outset and maintaining it as a service across all functional areas of the business. This is opposed to the current practice of adding security policies and controls later in a fragmented and often inefficient manner.
In this scenario, security doesn't just support and drive value; it becomes a key differentiator in the market. This approach, where security is an integral part of product design and service delivery, allows businesses not only to meet their current objectives but also to innovate in ways that set them apart from competitors. In essence, it's about leveraging security as a foundational element for business growth, paving the way for new opportunities and heightened market success.
The most profound impact, however, may lie in the innovation and development of completely new products and services. For example, with security as a foundational element of research, design and development, products and services can be fundamentally different from inception. This approach not only bolsters security but also paves the way for innovative breakthroughs. Products become more resilient, features more robust, and entirely new offerings become possible, ones that were previously unattainable without the integral input of security expertise and data-driven insights. And, the security team becomes less burdened by cleaning up a mess that was left to them without this model in place.
Why is your organization building a team dedicated to patching that same system or application over and over and over if there’s a better alternative that eliminates that burdensome patching process, improves performance, and offers a new technical capability that unlocks a completely new feature in the product or service the company offers? Good question — only the business knows the answer. It's just that they may not have the data to help them make the decision.
Just as Truman Burbank ultimately escapes the confines of his fabricated world to discover a broader reality, businesses must similarly dismantle the barriers that keep their cybersecurity teams in the shadows. Doing so unlocks a realm of untapped potential, not only elevating the role of security but also driving business efficiency and spurring innovative excellence.
This leads me to my final point, reflecting on who the real Truman might be in this scenario. Pausing to do so, it's conceivable that the business itself, similar to the security team, is currently operating within a bubble. Recognizing this, it’s crucial for businesses to reevaluate their approach to information security. The CISO’s role in translating and communicating information security in business terms is a good start to bridge the gap. But it doesn’t go far enough. This really requires the business to change how it views — and leverages information security — to experience something they couldn’t have dreamt of before.
So … with that … will the real Truman Burbank please stand up?
And, while you’re up, will you please check yourself and consider changing how you look at information security, for goodness sake? I have a really strong feeling that this shift could be the key to transformative changes in our industry, opening the door and leading to newfound opportunities and undiscovered successes, giving the business a real chance to transform in ways never imagined.
In the words of the ever-enlightening Eminem from his song 'Lose Yourself'
Look, if you had one shot or one opportunity To seize everything you ever wanted in one moment Would you capture it or just let it slip? Yo
To eliminate any confusion, it's not the "yo" that matters here. 😎
In closing, it’s great to meet you, Truman. And you too, Truman. Cheers to you both for your unfettered success in your new ways of thinking.
What's your perspective on this story? Want to share it with Sean on a podcast? Let him know!
This article represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence.
Sincerely, Sean Martin and TAPE3
Enjoy, think, share with others, and subscribe to "The Future of Cybersecurity" Newsletter.
Want to comment on this topic, you can connect with Sean and the community in this LinkedIn post: https://www.linkedin.com/pulse/security-show-identifying-real-truman-transformative-business-martin-djdoe
Sean Martin is the host of the Redefining CyberSecurity Podcast, part of the ITSPmagazine Podcast Network—which he co-founded with his good friend Marco Ciappelli—where you may just find some of these topics being discussed.
Or, visit Sean’s personal website.