The Case for Outcome-Based Cybersecurity: A Data-Focused Shift in Cybersecurity Management

Kevin E. Jackson
Author: Kevin E. Jackson
Date Published: 1 July 2022

The challenges faced by today’s cybersecurity practitioners are well documented, however, the situation may be worse than described. It is not just that cybersecurity is extremely complex, that compliance requirements and the cost of noncompliance both continually escalate, that cybersecurity threats evolve at breath-taking rates or that all of this has to be managed with increasingly limited pools of cybersecurity personnel and constrained financial resources. The frightening truth is that all of these problems are simultaneously relevant. It is a perfect storm, and there is little reason to expect it will change if the global cybersecurity community continues to embrace the status quo.

Perhaps it is time to take a page from other industries tasked with managing complex, multidimensional problems. Consider the design processes used to create the next passenger aircraft. When fabricating a next-generation composite for the wings or determining the landing gear’s optimal configuration, the engineers do not simply develop to the standards and then hope for the best. Instead, they extensively test every material and every structure, collecting and analyzing performance data. Designs that fail must be improved or discarded. Designs that work move forward to the next round of testing. High rates of failure cannot be tolerated because passenger safety and security are at risk.

The safety and security of enterprise information systems, financial data and operational technology are no less important.

For aircraft builders, rigorous tests and the data they produce are essential. If the data reveal that a critical component does not perform well during testing, then it will never be used on an actual aircraft. What if there was a cybersecurity equivalent, a worldwide collection of active cybersecurity programs, that could be leveraged to collect data on which cybersecurity approaches deliver positive results and which approaches fail? Such a data collection effort could be sorted by industry and organization size to reveal what cybersecurity strategies work best and even reveal optimal ways to manage limited resources and funding—all while focused on actual cybersecurity successes and failures.

What would such cybersecurity success and failure data look like? The data would certainly need to include more than just the number of breaches in a given year. For example, organizations can track the number of cybersecurity events per time period, cyberinsurance premiums and claims, security-related budgets, phishing click rates and overall security losses in both direct and indirect categories (from fraud costs and ransom payments to reputational damage and lawsuits). For a given organization, these results can be correlated with the cybersecurity strategies previously employed to create an outcome-focused cybersecurity data platform.

Such a collection of active cybersecurity programs already exists. Every enterprise, nonprofit, government agency and business with an email address or a website is a live test environment for what works in cybersecurity. The global collection of information-enabled organizations is, in effect, a worldwide lab of cyberstrategies and outcomes. A popular 1990s paranormal US television show popularized the phrase “The truth is out there.”1 In this case, outcome-based cybersecurity data are, in fact, out there within the worldwide lab of cybersecurity programs.

There is another source of outcome-focused cybersecurity data that can even further enhance this concept: academia. Cybersecurity researchers regularly conduct best practice analyses that focus squarely on measurable results. Such research usually focuses on a single cybersecurity domain, such as optimal approaches to training and awareness, incident response or IT disaster recovery. Unfortunately, the results of such research typically have limited impact on large-scale cybersecurity strategy due to lack of wide exposure. If academic research were included within the aforementioned global pool of organizational cybersecurity data, statistically sound research results could further enhance the validity and accuracy of outcome-based cybersecurity analyses.

How might such a capability be used? First, consider how cybersecurity strategy is pursued now. Most cybersecurity strategies begin with standards, such as the collection of US National Institute of Standards and Technology (NIST) requirements and controls or the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27000 series of standards. But standards are intentionally not prescriptive. Frameworks such as NIST’s Cybersecurity Framework (CSF), the Center for Internet Security (CIS) Controls, or COBIT® are frequently used as reference structures for security program implementation. But in the end, each cybersecurity decision maker must leverage their own expertise, consult with outside experts, attend conferences and study the latest trends to determine the best practices for their program’s personnel, processes and technologies.

But what is missing from standards and frameworks are outcomes. Very little attention is paid to what has worked well in the real world because such data are only available in narrow information silos. Imagine if, instead of relying on vendor inputs, consultant opinions and trend-of-the-day approaches, each cybersecurity decision maker could leverage analytic results about what works best in a given cybersecurity domain for similar organizations. This would enable practitioners to pursue the strategies that work, including the impacts of scarce cybersecurity resources and extreme security management complexity, then constantly adapt those strategies to further pursue increasingly positive cybersecurity outcomes.

Imagine if, instead of relying on vendor inputs, consultant opinions and trend-of-the-day approaches, each cybersecurity decision maker could leverage analytic results about what works best in a given cybersecurity domain for similar organizations.

Naturally there are obstacles to such a concept. For one, no existing cybersecurity tool vendor is ethically in a position to bring such a capability to light. That vendor would lack the required impartiality. In addition, a great deal of prework is required to harvest cyberstrategy and outcome information and store it in a common, analyzable form.

But the results of such a shift in the global cybersecurity landscape could produce outsized positive results and are, therefore, worth pursuing.

Endnotes

1 Carter, C., Goodwin, R.W., Gordon, H., et al (Executive Producers); The X-Files [TV series], Ten Thirteen Productions, 20th Century Fox Television, 1993-2002

Kevin E. Jackson

Is founder and chief executive officer of Level 6 Cybersecurity, a start-up enterprise committed to making outcome-based cybersecurity a reality. Jackson has more than 30 years of technology experience including executive leadership roles in cybersecurity consulting, information security strategy, compliance management, enterprise architecture, IT infrastructure, business intelligence and IT program management. He is also an adjunct professor teaching online business intelligence and data analytics program management classes at Villanova University (Pennsylvania, USA).