I had the opportunity recently to speak about “Advanced Security” at the Evanta CISO Executive Summit event in Houston. Just before going onstage for my presentation, I had a great conversation with David Frazier (Director of IT for Halliburton) about the approaches he’s taken not only in security strategy, but in discussing security with the executive team. As I gave the talk, I found myself framing a lot of the presentation in terms of that communication between security leadership and the executive team. And I was reminded, in talking about the anatomy of advanced attacks and advanced response, how powerful a tool telling the story can be.
One of the graphics that I used shows the contrasting timelines of the attacker and defender in an advanced attack. It captures that essential concept of “attacker free time” – that dangerous interval when the attacker is moving undetected through the defender’s environment – and the critical importance of technologies, processes, organization structure and education in reducing that interval as much as possible.
In the presentation in Houston, I found myself using the graphic to tell the story of advanced attacks, including linking it back to our own experience at RSA a year ago. I’ve been a storyteller for a long time, not only in publications and concerts, but even more in the stories I re-told or made up for my children. But I haven’t used narrative very often in describing the world of security. Tlling the story – not just anecdotes that illustrate or enliven particular points, but the narrative of attack and defense – brought an authenticity and immediacy to the presentation. It helped in establishing both the real threat that we all face these days and also the real opportunities we have in responding to that threat.
At RSA, we’re working on formalizing those stories into models of attack and defense that can be expressed in game theory and represented in agent-based models. Those models will be extremely valuable in formulating effective response to various attack scenarios. (I’ll be writing more about this in an upcoming blog.)
Re-discovering the story reminded me that we need to be sure to use narrative as well. Telling the story is a powerful tool we need to take advantage of in discussing the threats confronting us and the strategies that we need to put in place to address the those threats.