CHAPTER 2
Everything around you that you call life was made up by people that were no smarter than you.
And you can change it, you can influence it… Once you learn that, you'll never be the same again.
— Steve Jobs
Opportunity
Chapter 1 established foundational vocabulary and connected you to the business's scoreboard, the financial statements. The financial statements are how the outside world judges your CEO and Board of Directors. However, most employees never see complete financial statements. Even in a publicly traded company where the financial statements are readily available for download, you are unlikely to have your manager speak directly to the Annual Report, much less distribute it for your review. Instead, operators of the business focus on how to create, deliver, and capture value.
To ease into the concept of value as a black box, let's begin with an analogy. Shortly after I graduated from college, I accidentally stumbled into a penetration testing role. I loved it. Breaking stuff was fun!
A successful penetration (pen) tester must understand foundational technologies to be effective. Without knowledge of how database queries or serialization languages function, a pen tester may fail to identify a bug. Further, without understanding the functional and nonfunctional requirements of an application, coding defects will likely remain undiscovered.1
In short, pen testers may emulate specific tactics, techniques, and procedures (TTP) to evaluate an application. Mastery of the pen testing discipline requires that you move beyond guessing what's in the black box. You have to combine TTP and organizational context to thrive. You must understand how your target contributes to the organizational flywheel and if you can disrupt the flywheel – people care.2
As a leader, the knowledge you use evolves from technical specifics such as SQL, XML, and JSON to business knowledge and influence skill. Mastery of development frameworks, coding methodology, and encoding techniques are no longer the primary predictors of your effectiveness.
Instead, your tool belt looks quite different. Most security professionals fail to capture the elusive opportunity to inject security into executive dialogue and decision-making processes. This chapter will review foundational tools that will enable you to decompose any business from several different perspectives. Without the understanding that these tools provide, you are the management equivalent of a script kiddie. That said, reckless application of these tools can be as dangerous as Metasploit in the hands of a teenager.
So, this chapter will get you pointed in the right direction. Later, in Part II – Communication and Education and Part III – Cyber Security Leadership, we will expand upon the tools covered in this chapter by offering guidance on how to secure budgets, navigate bureaucracies, steer technology decisions, and modify behaviors throughout the business.3
Principle
The most fundamental goal of any business is to serve its customers profitably. This section will overview essential tools that intimately connect you to the heart of a company. Specifically, you will learn about business models, company performance metrics, value chains, systems theory, and risk-adjusted measurement. These tools will enable you to:
· Identify key value drivers
· Understand which measures likely influence peer behavior
· Clarify your (cybersecurity) role in the value chain
· Avoid pitfalls revealed by system theory
· Report risk measures in the context of business performance
No doubt, equipped with these requisite tools, your future exploits on the internal battlefield will produce better results. Let's begin with the business model.
Business Model
The business model describes the rationale of how an organization creates, delivers, and captures value. Meanwhile, The Business Model Canvas (the canvas) offers a shared language for describing, visualizing, assessing, and changing business models. The canvas comprises nine basic building blocks, including customer segments, value propositions, channels, customer relationships, revenue streams, key resources, key activities, key partnerships, and cost structure.4
Figure 2.1 presents the canvas visually:
As a new or incoming security leader, I suggest building a canvas to solidify your early understanding of the business. Produce the canvas as a formal deliverable of your systematic approach to learning in the first 90 days of employment.5 Do this business analysis before you get recent audit reports, pen test results, or a systems inventory. Now, if you've been with a company for quite some time, you will also benefit from new insights by completing the mapping exercise. In the Application section of this chapter, we will construct a sample canvas and offer a few examples of how the canvas has proven helpful in driving change within a services business.
FIGURE 2.1 The Business Model Canvas
Source: Osterwalder, A., and Pigneur, Y., Business Model Generation: A Handbook for Visionaries, Game Changers, and Challengers, John Wiley, 2010. Reproduced with permission of John Wiley & Sons
Note that you can use online tools such as the canvanizer (https://next.canvanizer.com/demo/business-model-canvas) to map out your business.
Company Performance Measures
One cannot deploy security countermeasures successfully while lacking a solid understanding of the business, its risks, and its compliance obligations.6 After achieving clarity on the business model, the logical next step in understanding how a business derives value for its customers and equity holders is to dissect its key performance indicators (KPIs).
In most companies, success or failure depends upon a small set of executive KPIs. This streamlined set of metrics often impacts returns for shareholders and compensation for teams/individuals.
Personally, both times that I built and led a security function, the commitment to adding a security leader came immediately following an infusion of capital from a Private Equity (PE) transaction. I have learned that it can be beneficial to understand your Board's makeup, including those who are Independent Directors vs. Controlling Shareholders. Understanding Board composition is helpful even if you don't interact with the Board directly.
There are many types of investors. Each investor has a strategy that will guide the types of investments made. Frequently the investment strategy is derived from a unique ability to enhance the performance of the target investment.
For example, PE investors say they place a heavy emphasis on adding value to their portfolio companies, both before and after they invest. The sources of that added value, in order of importance, are increasing revenue, improving incentives and governance, facilitating a high-value exit or sale, making additional acquisitions, replacing management, and reducing costs.7
That is to say, knowing about investors can clarify what types of value creation activities will be most important. The metrics investors commonly care about most include Revenue, Gross Profit, EBITDA, and Free Cash Flow. The relative priority of these metrics will be determined in large part by how investors realize gains. More on this in Chapter 4 – Value Creation.
Ironically, in high-performing teams, these numbers are not usually the focus of individual managers outside of the executive leadership team. To understand why, we need to discuss lead and lag measures. A lead measure tells you if you are likely to reach the goal, while a lag measure tells you if you've achieved it. All the metrics above are lag measures. To illustrate, consider W. Edwards Deming's comments that managing a company by looking at financial data, which are lag measures, is like “driving a car by looking in the rearview mirror.”
Considering the lead measures that directly affect the Key Activities, Value Propositions, Cost Structure, and Revenue Streams is an ideal starting place. Once you are clear about which numbers drive your organization's value, you can begin to connect security using the concept of value chains.
Cybersecurity: Part of the Value Chain
For most companies, strategic planning usually starts as a cross-functional off-site exercise for executive teams. Once complete, with organizational targets set, teams break off to organize themselves and execute accordingly. This pattern usually results in cascaded goals, objectives, and measures. Unfortunately, teams optimize within their department, often unaware of the interdependent processes affected by their efforts.
As we all know, operating in silos causes many vexing cultural and performance challenges for middle managers in particular. More than 35 years ago, Michael Porter wrote a book titled Competitive Advantage: Creating and Sustaining Superior Performance. In his book, he outlines The Generic Value Chain.
FIGURE 2.2 The Generic Value Chain
Source: Porter, M.E. Competitive Advantage: Creating and Sustaining Superior Performance, The Free Press, 1985. Copyright © 1985 by Michael E. Porter. Reprinted with the permission of The Free Press, a division of Simon & Schuster, Inc. All rights reserved.
Using the value chain model, we can examine the discrete building blocks of competitive advantage. He explains that “Firm infrastructure consists of many activities, including general management, planning, finance, accounting, legal, government affairs, and quality management.” As seen in Figure 2.2, infrastructure, unlike other support activities, usually supports the entire chain and not individual activities.8
Given this definition, cybersecurity can be considered firm infrastructure in the context of the value chain model. Per Porter's admission, firm infrastructure is sometimes viewed only as “overhead” but can be a powerful source of competitive advantage. He goes on to explain, “firms have often gained a competitive advantage by redefining the roles of traditional activities.”
But we're not done with the model yet. We can go beyond the simple rosy statement that cybersecurity teams can add value in unconventional ways. “Although value activities are the building blocks of competitive advantage, the value chain is not a collection of independent activities but a system of interdependent activities. Linkages within the value chain relate value activities. Linkages are relationships between the way one value activity is performed and the cost or performance of another. Competitive advantage frequently derives from linkages among activities just as it does from the individual activities themselves.”
“Though linkages within the value chain are crucial to competitive advantage, they are often subtle and go unrecognized.” Indeed, “exploiting linkages also frequently requires optimization or coordination that cuts across conventional organizational lines.” And finally, we observe that “given the difficulty of recognizing and managing linkages, the ability to do so often yields a sustainable source of competitive advantage.”
Porter explains that there are two basic types of competitive advantage: cost leadership and differentiation. Considering his model from the vantage point of cybersecurity yields critical and empowering insights:
· There is ample room for a company to leverage cybersecurity as a competitive advantage.
· A cybersecurity teams' unique position and skill permit it to identify what Porter terms “proprietary learning,” a primary source of sustainable differentiation.
· While other parts of a company have a cross-functional supporting role, most of these functions, such as finance, legal, and quality, lack the technical expertise or technology operations intimacy to offer the insights cybersecurity teams naturally surface. These insights are increasingly valuable in the age of “digital transformation.”
If this is all true, what should we as security practitioners be looking for given our unique vantage point?
Linkages can lead to competitive advantage in two ways: optimization and coordination.
To begin with, we can start inside our teams. We can model the changes we hope to observe in our broader organization, not by optimizing our own performance alone but instead by serving as a supporting function designed to create competitive advantages for the firm.
Malcolm Harkins got it right when he said, “Security teams need to be the risk-takers, to be at the forefront so they can shape the path.” Manage the risk instead of being the ones always saying no. “If you're the one experimenting with it, you can be the one to figure out how to manage the risk before everybody else gets there.” Further, “you have to show how, as technology spending grows, you're going to ask for a smaller percentage of that spend, with lower friction on the business and the user experience with lower liability.”9
In the application section, we'll review an example of optimization and another of coordination.
Apply Systems Theory to Avoid the Trap
There is an increasing focus on Security Performance Management (SPM). This trend, no doubt, correlates with business leaders allocating material budgets to security teams, in addition to pervasive cybersecurity board reporting. As with any new term, SPM means different things to different people. For our purposes, I reference SPM only to highlight cybersecurity teams are beginning to optimize in various ways. But don't fall for the trap.
As we just discussed, it is common for business leaders to optimize the performance of their team's processes. All too often we see security teams working hard to optimize security operations or security engineering processes. In contrast, the real target should be to maximize business performance as a whole. Stated differently, optimize the system.
Why is the distinction between system and process so important? The answer lies in one of the fundamental assumptions of systems theory: the whole is not equal to the sum of its parts. The assumption that it is originates in a fundamental algebraic axiom. Unfortunately, however, complex systems are anything but mathematically precise. The improper allocation of the algebraic axiom to the management of organizations would sound like this:
· If we break down our system into its components, maximize the efficiency of each one, then reassemble the parts, we'll have the most efficient systems.
It's been said that elegant theories are often slain by ugly inconvenient facts. That's the case here. The mathematical or analytical approach to system improvement is one of those victims. It's also been said that the “devil is in the details.” Where complex systems are concerned, those details make up many of the aforementioned ugly, inconvenient facts. And they are often in the linkages between system components, not the components (links) themselves. Yet organizations continue to blithely polish the efficiency of these links, blissfully ignorant of the real location of the most vexing contributors to less-than-desirable system performance: the interfaces among components.10
Let me contrast for a moment. I am advocating that you optimize your security function. Further, I am explicitly saying you should NOT do so at the expense of business performance. It is necessary to remember that you play a supporting role. In that role, you should actively seek ways to protect important things. How you achieve this needs to consider company performance as a whole.
Vulnerability reporting is a straightforward example. Often, security teams report findings aggregated by the vulnerability. They are tossed over the fence in a spreadsheet format for operations teams to sort through. It is rarely the case that a single group owns all systems impacted by a particular vulnerability. Vulnerability-oriented reporting may result in a lot of effort for other teams. Before they can begin to drive resolution, they must triage and assign tickets to the appropriate team members. In a dynamic environment, it can be very challenging even to get started.
Another typical example is the drag that robust static code analysis can put on a continuous integration/continuous deployment (CI/CD) pipeline used by developers to accelerate organizational learning and enhance market responsiveness. There's no need for pandering to developers or eradicating static code analysis. There are more efficient and operationally friendly ways to balance security outcomes in the context of business performance.
For example, DJ Schleen worked to implement a “fail intelligently” approach by having security scanning tools simply tag a software build with an annotation indicating it can never be released to production because of the vulnerabilities it contains. In this scenario a message is returned to the developer with the warning, and a work item is created for the developer who checked in the code.11 This is a great example of applying The Three Ways.12 It serves to increase flow, decrease waste, and balance security in the process. This can be directly associated with primary business outcomes.
Now let's take that concept – security performance wrapped up in a business context – one step further by considering risk-adjusted measurement.
Measure Business Performance Relative to Risk
To illustrate the concept of risk-adjusted measurement, let's briefly examine Modern Portfolio Theory (MPT). Then we'll extend the idea into the world of cybersecurity.
The Sharpe ratio is a widely used method to determine a portfolio's risk-adjusted return.13 By using the Sharpe Ratio, you can optimize the return of an investment relative to its risk. A portfolio manager may build a diversified portfolio of stocks that have low correlations to decrease portfolio risk. An important lesson here is that it is possible to reduce portfolio risk without affecting returns.
Generally, the greater the value of the Sharpe ratio, the more attractive the risk-adjusted return. Here, we see again that a system operates best when its parts work together rather than when the pieces are all optimized as individual components, or even worse, by simply ignoring the risk altogether.
Now, the concept of risk-adjusted measurement has the potential to connect security operations to business outcomes. So how does this risk-adjusted measurement work?
You need to start with leading performance indicators since they are things you can control. Lead measures are prime candidates to scrutinize when attempting to integrate a risk perspective into business performance measurement.
Don't be surprised if most of your executive KPIs are lag measures. You may have to dig into the metrics of other teams. Prying open metrics can be a sensitive topic for inexperienced, insecure, or underperforming leaders. Be transparent about what you are attempting to achieve and why.
I suggest you target the metrics that have an apparent causal impact on business performance. The key here is to identify Vital Behaviors, which are typically limited to one or two things that will yield a disproportionate influence on your success.14 Apply the 80/20 rule made famous by the Pareto Principle. Be careful to avoid the false cause logical fallacy, meaning correlation is not causation.
Paul Proctor at Gartner developed a Risk-adjusted Value Model (RVM) several years ago that applied risk-adjustments to business metrics as a way of communicating risk and supporting risk decisions in a business context. In 2020, the RVM work evolved into outcome-driven metrics (ODM) and risk, value, cost (RVC) maps. The ODMs measure risk outcomes that have a dependency relationship to business outcomes, so they behave as leading indicators. The RVC maps plot business outcomes by risk, value, and cost, which creates a richer analysis than the original risk-adjusted business metrics. ODM and RVC are discussed more thoroughly in Chapter 4.
Application
Okay, so let's spend some time practically applying this content to a real business. In this case, my employer at the time of this writing.
Case Study 1 – Cybersecurity via the Business Model Canvas
Using the canvanizer, I gradually built out the following business model canvas. We indeed transformed the business over several years, so not all the executives I interviewed in 2017 were relevant or even employed by the company five years later. As our company evolved, I periodically went back to update the canvas. I did this to re-validate my understanding of our business model.
FIGURE 2.3 Logicworks' Business Model Canvas
Now, you might think I just sat down and filled this out in a single setting. That doesn't reflect the reality at all. In truth, I drafted my initial impression of the business utilizing the canvas, and then I took it on the road. I had many conversations to solidify my understanding of our business model. I went to our Chief Revenue Officer (CRO), VP of Marketing, VP of Alliances, Director of Product Marketing, and several regional VPs of Sales to confirm their understanding and agreement of the Customer Segments, Value Propositions, Channels, Customer Relationships, and ultimately, Revenue Streams.
Once I completed my business's demand generation review, I examined other areas, including the Key Partners, Key Activities, and Key Resources. To get my head wrapped around those areas, I ran this document past our Chief Technology Officer (CTO), our VP of Professional Services, and our VP of Customer Success.
To dig into our Cost Structure, I found several folks in the Financial Planning and Analysis (FP&A) team reporting to our Chief Financial Officer (CFO). In a series of interactions, we pulled apart our executive metrics pack. We even did a deep dive into the definition of unique measures like Managed Recurring Contract Value, Net Revenue, and Pro-forma Cash Flow. This research happened over many months via meetings, emails, and Slack conversations.
Early on, using the canvas allowed me to safely build relationships and inquire into other teams' processes. That helped me gain a more intimate understanding of what was important to my peers in the business. Later, the model helped me build my knowledge of value chains and connect the cybersecurity program to our business's growth and evolution.
For example, we didn't have a Professional Services or a Product team when I started, and we also didn't offer one-time consulting engagements. Over time, we designed a Compliance Assessment (Revenue Streams) by integrating into these new workstreams. A Compliance Assessment, performed by the Professional Services team, combines tool output with best-practice interviews and results in a stylish report that offers clients insight into adherence to regulatory frameworks for their cloud operations. Later we evolved our offerings to include application modernization. This helped our business expand our capabilities and capture a broader set of customers. To support these changes, the InfoSec team had to adapt to accommodate an evolution in our business model, as well as operational adjustments, and new technology risks.
Similarly, Logicworks designed and built software including a Data Loss Prevention (DLP) product, a patch management system, and a multistage image bakery pipeline that included CIS benchmark hardening and agent installation for A/V, FIM, and other tooling. All these integrated products leveraged cloud-native tools and worked to classify, secure, report, and actively alert customers if their data was at risk (Key Activities). These new offerings enhanced our differentiation in the marketplace (Value Proposition), elevated our enterprise value by enriching our intellectual property (Key Resources), and made my job more manageable in the long run (Cost Structure).
All this progress happened over several years. My cybersecurity team wasn't required to scale in line with the rest of the business. This is because we had strong commitment from other teams to ensure that security was part of everyone's job.
Not long after we expanded our product portfolio, the business began to attract more enterprise prospects and capture larger, more complex deals (Customer Segments). This adjustment meant more sophisticated prospects would perform an increasingly thorough analysis of our security program before signing multi-year contracts. Because of our role in the sales cycle, I recognized this early and prepared for the inevitability.
We secured funding for each of the foundational pieces that comprise our Zero Trust model through contracting with various customers. Eventually, we integrated Single Sign-on, Multi-factor Authentication, Unified Endpoint Management, and Digital Certificates to perform intelligent decisions around access. This allowed efficient, scalable access in a multi-tenant, multi-cloud, multi-account environment. Luckily, enough of this happened before the COVID-19 pandemic swept the globe and pushed our operations teams to work remotely.
One recent Win Wire, a celebratory email that our CRO sends to the organization, offered this explanation for why we were able to secure a Fortune 500 client:
Our newest client is, without a doubt, the most diligent prospect I've worked with in the last seven years. As such, I don't hesitate to say that without Matt and his team's proactive approach to driving improvements to Logicworks' security and compliance posture, we would have been disqualified from this deal, full stop. Mid-negotiation, they hit us with demanding requirements for IAM strategy, BCP/DR plans, and foundational technology and processes such as UEM. None of which were met by Logicworks in the distant past. However, since the InfoSec team had proactively initiated workstreams in this domain, we met their requirements and moved the deal forward.15
Other significant achievements include changing our primary security vendor and obtaining ISO27001 certification. The vendor swap affected everyone in the business. It required cross-functional collaboration to alter marketing events, sales training, SKUs in Salesforce, data ingestion pipelines, alerting, runbooks, and agent deployment. It required SAML integration and revisions to multi-tenant access methods for clients. We even revised the procurement, invoicing, contracting, and pricing processes. It took more than a year. In Chapter 5 – Articulating the Business Case, we'll discuss the Monte Carlo analysis completed to evaluate the possible and probable outcomes of such a broad-sweeping change for our business. The latter, ISO27001 certification, was achieved in an unprecedented 90 days.
Admittedly, being able to directly create value is nice, but the day job of security is to balance the needs to protect with the needs to run the business. Although we did influence a few interesting products for our customers, the real value we provided in completing projects such as ISO certification, zero trust, and business continuity was to remove obstacles that otherwise prevented our business from:
· accepting new lead flow from partners,
· securing wins with up-market customers,
· expanding product and service offerings,
· delivering increased value through secure software and automation,
· attracting and retaining high-quality talent, and
· rationalizing our costs to deliver managed cloud operations services.
Each of these activities are measured in the form of leading indicators that other teams in our business use to direct their actions. See Table 2.1:
It's fair to say, there are plenty of things in cybersecurity that can distract you from the truly important. It is my conviction that the greatest value we add to our business stems from a foundational understanding of our business model, clarity on the value streams, and direct alignment to the leading performance indicators in our business. Without that clarity we might have deployed our resources less efficiently or become lost in “thick of thin things.” 17
TABLE 2.1 Mapping of InfoSec Projects to Leading Measures and Business Goals
Business Goal |
Leading Measure |
Enabling Project |
Accept New Leads |
Sales Accepted Leads + Win Rate → Bookings |
BCP/DR Maturity |
Address New Markets |
Up-market Customer Bookings → Revenue |
ISO27001:2013 + Zero Trust |
Product Feature Innovation |
Compliant Customer Contractual Obligations → Net Retention |
CI/CD Maturity |
Service Expansion |
Application Re-factoring → Revenue |
3rd Party Risk + New Access Architecture |
Talent Retention |
Toil16 → EBITDA |
Vulnerability Management |
Efficient Delivery |
Engineering Hours / Instance → EBITDA + Pro Forma Cash Flow |
Patching Automation |
Now, recall that earlier in the chapter, we described the two means (optimization and coordination) to drive either of the competitive advantages (cost leadership or differentiation). The next two case studies will explore one example of optimization and another of coordination.
Case Study 2 – Competitive Advantage via Optimization
Recall, in systems theory, you may intentionally be less efficient in support activities to optimize the performance of primary activities. Further, Porter explains that “Sometimes exploiting a linkage requires that a supplier's cost go up to achieve a more than compensating fall in a firm's costs, however. A firm must be prepared to raise the price it gives suppliers in such cases to make exploiting the linkage worthwhile. The opposite case is also possible, and the firm must be prepared to elevate its own internal cost if the supplier offers a more-than-compensating price cut.”
In this case, I partnered with our audit firm, Coalfire, to build a Consolidated Audit Program. During this period, my company refined our target customer segments, which eventually led to an increased set of compliance obligations.
We reached a point where pursuing certifications one after the other forced our business into persistent audit mode with all the additional audits. Conducting a series of audits presented several challenges. First, requests for evidence and meeting participation bombarded our teams all year long. Next, because we had to drive improvements and remediation throughout the year in addition to completing our audit cycles, it also meant that our teams were context-switching way too frequently.
No matter what time of year, we had an audit right in front of us. Audits can be disruptive to operations teams, and we felt it would be better to reduce the context switching by consolidating our audits. By compressing our audit calendar, Coalfire played a much more significant role in coordinating the assessments. Increasing their responsibility meant that our team received fewer information requests. They cross-walked requests in advance, so we knew which evidence would apply to each audit. The result was fewer tickets for the operations teams.
Further, multiple auditors were present for each set of interviews. That ensured that a single interview session addressed numerous compliance frameworks. Rather than interviewing the Network team ten times per year (approximately two interviews per framework), we reduced the workload to one discussion and a follow-up. We repeated this pattern for development, architecture, platform, engineering, security, and management. Since each of these interviews often included preparation and evidence gathering – the savings were appreciable.
Indeed, our audit team had to be diligent in coordinating who led each interview. Our auditors had to prepare clarifying questions to evaluate unique requirements per framework. Because they were committed to the partnership and the goals were clear, they also identified savings we didn't contemplate, such as structuring the interview schedule to dismiss some auditors early and minimize travel expenses.
In summary, we saved a ½ FTE and $20,000 in travel (which was significant given our team size), reduced the context switching challenges impacting our engineering team, and improved customer retention while flattening the cost curve. In the process, we also got higher project throughput from other groups as they helped us execute against the security roadmap.
Figure 2.4 is a copy of the key visual we presented to secure funding for the updated audit calendar:
FIGURE 2.4 Three-Year ROI for Consolidated Audit Program
Source: Coalfire Systems Inc. Used with permission.
Case Study 3 – Competitive Advantage via Coordination
In 2017 the WannaCry ransomware attack spread across the globe. For many, this was a wake-up call to the perils of ransomware. For some, it was a catalyst to further enhance existing patching practices.
No question, patching is tricky. That's exactly why so many companies struggle to do it well. Year after year the FBI espouses the wisdom of getting patching and configuration hardening right. There are so many reasons why something that sounds easy, turns out to be very difficult. Further, doing it at scale is a complex undertaking for anyone. In our services model, any manual activity equates to expense. So naturally, it's safe to say that patching could be a sizable expense when supporting a client's cloud infrastructure if it wasn't highly automated. A customer that isn't patched may become upset and leave. No doubt, profitable operations, customer satisfaction, and retention are things any business would want to optimize!
Now, Porter explains in his book: “To identify a new value chain, a firm must examine everything it does, as well as its competitors' value chains, in search of creative options to do things differently. A firm should ask questions including ‘How can the activity be performed differently or even eliminated?'”
COMPETITIVE VALUE CHAINS
When we looked at competitive value chains, here's what we found. Most of our competitors were focused on point-in-time fixed-fee project work to migrate their clients to the cloud. They didn't own a long-term relationship as we did. When you own cloud operations in the long term, you care much more about the readability of Infrastructure as Code (IaC) and you have a lot more opinions about the tools you layer into the technology stack. As a result, platform approaches to identify and correct configuration drift were also not part of our competitors' services. During the early days in the cloud, some prospects and customers were not equipped to examine or appreciate the more subtle differences in the level of service we offered. Over time, customers came to love the attention our team applied to these details that made our cloud deployments far more sustainable and manageable.
PERFORM THE ACTIVITY IN A NEW WAY
Looking back, we had performed a detailed analysis considering the top patch management vendors according to the analysts and referrals from friends and their value-added resellers. There was only one commercially supported solution we surfaced that had coverage for all the operating systems required. That solution was seemingly price prohibitive.
Shortly after the alleged North Korean hackers weaponized the NSA-developed EternalBlue exploit, I co-opted a small cross-functional group of engineers and experimented with patching automation. A few months later, we conducted a demo of our “patching product.” It leveraged cloud-native AWS System Manager (SSM) and AWS Step Functions. “Step Functions offer a serverless orchestration service that lets you easily coordinate multiple Lambda functions into flexible workflows.”18 We formulated a rough set of patching templates for the demo, a supporting instance tag structure, and several spreadsheets that would eventually help our service delivery team identify patch groups and establish patch schedules with our clients.
The use of SSM gave us other benefits such as the potential to establish software inventory, perform cross-account sync, and enable the use of services, including Amazon Athena or Amazon QuickSight. Leveraging a fast, cloud-powered business intelligence service would later allow our team to deliver insights quickly. Of course, we figured that it would also enhance our vulnerability management.
I wasn't a fan of the build option, and I preferred the buy or partner options because we had a few key engineers who commonly created engineering throughput constraints. Nevertheless, there were too many tangential benefits to ignore the potential upside. After all, the SSM agent was free! And I thought the buy-in of those creating the solution would outweigh the energy I would have to invest in selling another product. The following year, I added % managed AWS instances with the current SSM agent as one of the very few Key Performance Indicators for our team. It was a leading measure that would set the stage for both patching and enhanced operational telemetry. Two years later, we would eventually leverage these foundational investments to evaluate and enforce the configuration of AWS resources automatically, including:
· Install agents following the desired state
· Ensure compliance
· Validate agent health
· Provide real-time reporting on an entire fleet of systems
The leverage our business gained from our unconventional approach to patching and the pressure we placed on our organization to ubiquitously install SSM created operational leverage. Further, we set the stage for some intellectual property that will enhance company valuation when we exit. Through coordination, patch management became a competitive advantage.
Key Insights
· Understand Board composition: This will impact the value creation agenda of your company.
· Understand your business model: This serves as the context in which you will determine daily priorities and investments in security.
· Apply systems theory: To optimize a system, it is not necessarily true that you can simply optimize each of its parts independently.
· Leverage your vantage point: Cybersecurity can contribute to sustainable competitive advantage (cost leadership and differentiation) through proprietary learning. Typically, opportunities to improve company-wide performance surface in the form of coordination and optimization activities that serve as the connective tissue between silos in your company.
· Connect your activities directly to the business: This is done by understanding valuation and other KPIs. Then determine what your business feels are leading indicators of business success. Finally clarify what you can do to support and protect business value creation. Consider risk-adjusted value metrics and outcome-driven metrics to measure and report your progress in business terms.
Notes
1. 1 Armerding, T., “Security Flaws and Bugs: Both Bad, but in Different Ways,” Synopsys, July 29, 2020. Accessed September 3, 2020. https://www.synopsys.com/blogs/software-security/security-flaws-vs-bugs/.
2. 2 Collins, J., Good to Great: Why Some Companies Make the Leap and Others Don't, HarperCollins Publishers Inc., 2001.
3. 3 Harkins, M.W., Managing Risk and Information Security: Protect to Enable, 2016.
4. 4 Osterwalder, A., and Pigneur, Y., Business Model Generation: A Handbook for Visionaries, Game Changers, and Challengers, John Wiley & Sons, 2010.
5. 5 Watkins, M., The First 90 Days: Critical Success Strategies for New Leaders at All Levels. Harvard Business Review Press, 2003.
6. 6 Fey, M., Kenyon, B., Reardon K., Rogers, B., and Ross, C. Security Battleground: An Executive Field Manual, Intel Press, 2012.
7. 7 Gompers, P., Kaplan, S.N., and Mukharlyamov, V., What Do Private Equity Firms Say They Do?, 2015. Accessed September 8, 2020. https://www.hbs.edu/faculty/PublicationFiles/15-081_9baffe73-8ec2-404f-9d62-ee0d825ca5b5.pdf.
8. 8 Porter, M.E., Competitive Advantage: Creating and Sustaining Superior Performance, The Free Press, 1985.
9. 9 Lewis, J., “The CISO as a Choice Architect: A Conversation with Malcolm Harkins,” Rain Capital, August 13, 2020. Accessed September 3, 2020. https://www.raincapital.vc/blog/2020/8/13/the-ciso-as-a-choice-architect-a-conversation-with-malcolm-harkins.
10. 10 Dettmer, H.W., The Logical Thinking Process: A Systems Approach to Complex Problem Solving, ASQ Quality Press, 2007.
11. 11 Stearn, A. et al., Epic Failures in DevSecOps: Volume 1, 2018.
12. 12 Kim, G., Humble, J., Debois, P., and Willis, J., The DevOps Handbook: How to Create World-Class Agility, Reliability, & Security in Technology Organizations, IT Revolution Press, 2016.
13. 13 Sharpe, W.F., “The Sharpe Ratio,” Journal of Portfolio Management (Fall 1994). Accessed September 10, 2020. http://web.stanford.edu/~wfsharpe/art/sr/sr.htm.
14. 14 Grenny, J., Patterson, K., Maxfield, D., McMillian, R., and Switzler, A., Influencer: The New Science of Leading Change, McGraw-Hill Education, 2013.
15. 15 Freilino, R., “Logicworks Win Announcement,” 2020.
16. 16 Harvieux, E., “Identifying and Tracking Toil Using SRE Principles,” 2020. https://cloud.google.com/blog/products/management-tools/identifying-and-tracking-toil-using-sre-principles.
17. 17 Covey, S.R., The 7 Habits of Highly Effective People: Powerful Lessons in Personal Change, Simon & Schuster, 1989.
18. 18 AWS, “Create a Serverless Workflow with AWS Step Functions.” Accessed September 27, 2020. https://aws.amazon.com/getting-started/hands-on/create-a-serverless-workflow-step-functions-lambda/.