[Reading time: 2 minutes]

 

I spoke recently about the magical powers of getting specific data from the people who are managing cybersecurity on your behalf.

Through the simple act of asking, the data points magically improve over time.

 

But there is one potential problem

There is a conflict of interest:

  • The people doing the job are also
  • The people providing you with data that shows how well or badly they are doing the job.

No rational person will provide you with data that suggests they are not doing their job.

There is a risk that what you are told may not be the reality on the ground.

 

What have I seen?

I frequently work on behalf of organisations to assess the health of their cybersecurity defences. As part of this work, I talk to the people who are managing the defences and I ask for some specific data points (some of which I mentioned previously).

The numbers I’m told usually sound pretty healthy. (There are always a couple of areas that need some attention – No environment is perfect).

 

I then ask for evidence to back up these numbers – For example, automated reports generated by their system management tools.

And on more occasions than you’d expect…

  1. The evidence does not match the numbers originally provided, or
  2. The evidence is not provided at all – All I see is tumbleweed!

 

I have other ways to check their homework, so it’s not a big problem for me.

But it can be a problem when you are reliant on the people that are doing the job to also provide you with data to show that they are doing the job correctly.

 

My advice

Be mindful that the data points you are given may not be a true reflection of the reality on the ground.

Always seek evidence wherever it is available.

And remember:

[Absence of Evidence] may be [Evidence of Absence].

 

One final tip

If you are unsure about the people who are managing cybersecurity on your behalf, engage an independent third party who can objectively assess their work for you.

And yes, of course I mean someone like me!