Cybersecurity professionals are by nature skeptics. It is our job to take all the things that make modern society function technologically, hack them, and show you that the world in fact is not as safe, private, and secure as you thought. We then devise ways of protecting you against people who maliciously use the same skills and curiosity to commit crimes and put the confidentiality, integrity, and availability (CIA) of our systems and data at risk.
Most of us are familiar with the intelligence quotient (IQ) and many of us even with the emotional intelligence quotient (EQ), which purport to measure said attributes. At Sophos we feel it is crucial that we evaluate our work by its worth as well, so we created, and for years have operated, our own assessment to ensure the quality, respect, integrity, and usefulness of the research and products we produce meet the highest standards — its cyberseriousness quotient (CQ).
This article is an introduction to the concept of CQ, the factors that CQ balances in the day-to-day life of Sophos, and some (hypothetical?) examples of What Not To Do. In the weeks ahead, we’ll get into the details – how we evaluate the CQ in our projects, and how prioritizing CQ works for us (even when it creates extra steps).
Conceptualizing CQ: Three constituencies
Coined several years ago by Joe Levy, the president of Sophos Technology Group, CQ is a qualitative assessment to make sure our customers, the general public, and researchers can count on the best possible content and products when sourced from Sophos.
Just as security is a journey, not a destination, CQ is something we live. It is the start of each project we work on. Changes should be measured on whether they increase the CQ of the project, ultimately showing our customers that their security, our knowledge of cyber risk, and the effective protection of their data is always at the top of our mind.
We all have many competing requirements, but it is in keeping these often-conflicting goals in balance that we do ourselves and others right. To exist and do research we must make money to hire the people to make the things that provide value to the world. I know that if I want to continue to follow at Sophos my passion of impactful research, I also need to be sure it has value and contributes to the safety and productivity of my customers, which in the end will ensure the bills that cover my research are paid.
If on the other hand we let the needs of the business outweigh the needs of our customers, we end up in dangerous territory. There are stories and research published every day by those seeking to make something into a big problem that only they can help you solve. This behavior is so prevalent that a prominent cybersecurity journalist, Patrick Gray, has resorted to calling cybersecurity vendors “Snake Oilers.” The behavior does no one any good and in fact often results in organizations focusing energy on things that are a sensational flash, even while they suffer data breaches from someone using the boring stuff to compromise them.
For research in particular, there’s a third aspect to CQ. Often, the most interesting research is a result of what I will call the “intellectual pursuit of happiness.” Curiosity will lead us down many a joyful path, and the joy of unraveling a complicated security mystery is what drives so much of our greatest work. To get the most impactful results from our work we need freedom to pursue these curiosities and share our findings with our peers. This work is often the highest CQ of all.
CQ is a test that our published work, from research findings to our corporate communications, takes to make it out the door. Our assessment has many dimensions, which we intend to share in a follow-up post. It is something we expect all our staff to apply to the tasks they are responsible for and in the interactions with our customers through technical support, sales, and marketing events we participate in. In essence it must be an ingredient in all our recipes if it is to have meaning.
How does CQ work in practice? If we’re doing it right, it is a virtuous circle, and the tenets of CQ guide us to deliver projects with quality, respect, integrity, and usefulness at their core. As noted above, we’ll be laying out specifics of how we address and (when possible) measure each of these four aspects in a later article. For now, though, let’s ease in with a few examples.
Seeking CQ: Three failures
For a depressingly common example of the sort of trouble CQ seeks to avoid, imagine that Company X has a new product about to launch. The public will all too often see some Company X “research” published that is so sensational it is bound to grab headlines. This research is used to generate interest in the product launch, yet even a cursory glance or scratch of the surface of this so-called “research” unveils bias, manipulated statistics, and crimes of omission.
Here’s another. Perhaps you’ve seen a sales presentation from Company Y about their new solution that effortlessly stops all threats: Nex-Gen Snake Oil 2023 Professional. The total cost of ownership is 60% less due to you no longer getting infected, no longer needing to threat hunt, and no longer needing to handle incident response. Sounds great! Sign me up, right? One little gotcha: With 100% detection (“stops all threats”) comes a 10% false-positive rate, resulting in a 2,000% increase in support calls and a 20% drop in employee productivity. No CQ applied.
CQ can be critically low beyond the world of product launches, of course. Earlier, we described work stemming from the intellectual pursuit of happiness as a helpful indicator of potentially high CQ. It’s true overall, but sometimes the “hey, cool!” factor can actually detract from high CQ. Imagine a researcher who theorizes that singing to your computer can improve its security. (We’ve heard worse.) Pursuing research on musical infosec might well lead at some point to tools that customers can embrace. However, if we were to declare that “everybody will love musical infosec and this will differentiate us to customers!” and immediately made it the new Sophos product interface going forward, that would be a low-CQ moment – quality uncertain (and frankly probably low without a remarkable amount of interdisciplinary research underpinning it), respect and integrity potentially high, but usefulness almost definitely poor – literally a tone-deaf-CQ moment.
Researchers – X-Ops’ contribution to Sophos as a whole – should be unafraid to explore and think weird thoughts, but high CQ means that even researchers must ultimately have a sense of how their work speaks to the needs of the business and the customers.
If you are applying CQ principles to products and the research that leads to products, these problems cease to exist. You will be doing research that identifies actual problems that are leading to organizations being compromised. When it is time to announce the new product or feature, you have a wealth of research to support your claims. Because the research is in service of customers’ actual needs, you don’t need to use sleight of hand and gimmicks. Your research advances the state of cybersecurity across the industry and makes sure customer protections stay focused and relevant, purposefully innovating rather than just throwing “cool” or trendy features into products. The worth of the work speaks for itself and supports the greater good.
All our work stems from our relentless pursuit of facts. Our experts then use their expertise to interpret this information to establish ground truth for others to build upon. Public relations, marketing, product management, and other teams work from this ground truth to ensure their work aligns with what we know — not the other way around.
With 24-hour news channels and a media landscape desperate for ad impressions and clicks to eke out an existence, it can be tempting for cybersecurity vendors to exploit peoples’ worst fears and thirst for outlandish headlines to further an agenda. The problem is when vendors participate in this kind of activity, they not only muddy the waters, they distract the audience from the truth – and decrease its ability to respond to actual, current threats.
Living CQ: Three examples
For more information, watch this space for the second part of our CQ series, where we’ll lay out how customers can use CQ to navigate the current security landscape, especially as they assess potential partners and vendors. (We’ll also discuss some interesting business considerations that arise when CQ is part of the daily mix.) In the meantime — and just in case you’re done with the bad hypothetical examples and would like some good real examples — here are a few Sophos projects we point to internally as examples of high CQ, with some thoughts on why:
The Sophos X-Ops blog – This is a no-hype zone; researchers are encouraged to dig deep, cite non-Sophos research where appropriate, question everything, and generally show their work.
- Quality: Non-negotiable. Every post, article, and (soon!) video at Sophos is vetted throughout the development process and at multiple levels of the company. In addition, we have a specialist team of infosec researchers who also bring to Sophos extensive journalism and publishing experience. Every published piece on the X-Ops blog has one or more of these specialists riding shotgun to gather technical and editorial feedback from colleagues throughout Sophos – and to make sure the results are readable and engaging.
- Respect: The process of not just vetting research but publishing clear, accurate, readable information on it has to be rigorous, but collaborating respectfully keeps the ego-bruising to a minimum. Sophos researchers invited to publish are strongly encouraged to acknowledge colleagues (in and out of Sophos) who contributed to their work.
- Integrity: In addition to quality and integrity being intrinsically related in our pre-publication vetting process, it’s important to us that our published research acknowledges that we are part of a wider community of defenders. No research in the infosec world – none – happens in a vacuum. Researchers publishing to the X-Ops blog are required to cite their sources, preferably with links to the source – even if that’s a competitor’s web site.
- Usefulness: Sometimes work we publish is immediately actionable, and sometimes it’s a deep dive into an infosec topic that’s interesting or worth analyzing deeply, whether as a foundation for further research or on its own. The most useful thing we can invariably do is to ensure that what we publish is accurate, to the point, and clear.
Sophos Trust Center: Trust must be earned, but you certainly shouldn’t take our word for it. To earn your trust we feel that we must be as transparent as possible with regard to our own security, coding practices, and governance.
- Quality: We’re confident our practices are up to the highest standards and share not only what we do, but how we do it. This is not only transparent and open, but can be a helpful guide to others looking for a place to start and follow in our footsteps.
- Respect: Whether working with external penetration testers or operating our bug bounty program, our respect for the community can be quantified through our actions. Like any organization, even our best efforts do not result in perfect security. Our best way to continuously improve is to treat the community of security researchers with respect and take their feedback to heart.
- Integrity: We publish our corporate policies on ethics, compliance with regulations, environmental impacts, customer data handling, and more in our Trust Center. While we expect all employees to read and adhere to these standards, we feel they should be public so our partners and customers know how we conduct our operations.
- Usefulness: There are many circumstances where being able to quickly gain access to what you need while assessing your partner’s security posture is important. It is also a way to compare your options when looking for new vendors or employers.
The Active Adversary Report (link goes to April 2023 edition): Now in our third year (and at this writing, deep in the process of assembling the second of 2023’s three editions), AA reports on what our Incident Response teams have seen in the field lately.
- Quality: AARs are based on IR data gathered at every state of the process, from client-intake information to the final incident report. All data used in the report is scrupulously normalized before analysis, and multiple reviews of the data are conducted throughout the process of building each report. In addition, previous reviews and analyses are re-reviewed if the data is re-used (eg., in historical analysis), to make sure that it’s normalized and analyzed in accordance with current best practice.
- Respect: We take fairly extreme measures (and undertake multiple reviews in-house) to ensure that the IR clients represented the report are never revealed by the data…
- Integrity: …but we make a point of being as transparent as possible about how we work with the data, and what portion of the infosec landscape is represented in it, in the Methodology section included at the end of AARs starting this year.
- Usefulness: Since launching in 2021 we’ve worked to find, in these piles of data, insights that can help the defenders who face down threats to their own systems every day. For 2023, we realized that we could improve AAR’s usefulness by looking at the data through multiple lenses — after all, business leaders, tech leads, and threat hunters are all defenders, but their information needs aren’t the same. And that’s how one Active Adversary Report became three.
Cybersecurity is harder than it has ever been, and as a responsible vendor in this space we must help highlight the biggest risks, and moreover help others comprehend those risks so they can respond appropriately to defend themselves. Practicing CQ ensures we are always on the right side of the line. Cybersecurity is a business of trust, and in the 38 years Sophos has been securing people, we have always put their trust at the front of the line.