Site icon Sophos News

Introducing Cyberseriousness: A manifesto for quality, respect, integrity, and usefulness in infosec

Illustration by geralt via Pixabay

Cybersecurity professionals are by nature skeptics. It is our job to take all the things that make modern society function technologically, hack them, and show you that the world in fact is not as safe, private, and secure as you thought. We then devise ways of protecting you against people who maliciously use the same skills and curiosity to commit crimes and put the confidentiality, integrity, and availability (CIA) of our systems and data at risk.

Most of us are familiar with the intelligence quotient (IQ) and many of us even with the emotional intelligence quotient (EQ), which purport to measure said attributes. At Sophos we feel it is crucial that we evaluate our work by its worth as well, so we created, and for years have operated, our own assessment to ensure the quality, respect, integrity, and usefulness of the research and products we produce meet the highest standards — its cyberseriousness quotient (CQ).

This article is an introduction to the concept of CQ, the factors that CQ balances in the day-to-day life of Sophos, and some (hypothetical?) examples of What Not To Do. In the weeks ahead, we’ll get into the details – how we evaluate the CQ in our projects, and how prioritizing CQ works for us (even when it creates extra steps).

Conceptualizing CQ: Three constituencies

Coined several years ago by Joe Levy, the president of Sophos Technology Group, CQ is a qualitative assessment to make sure our customers, the general public, and researchers can count on the best possible content and products when sourced from Sophos.

Just as security is a journey, not a destination, CQ is something we live. It is the start of each project we work on. Changes should be measured on whether they increase the CQ of the project, ultimately showing our customers that their security, our knowledge of cyber risk, and the effective protection of their data is always at the top of our mind.

We all have many competing requirements, but it is in keeping these often-conflicting goals in balance that we do ourselves and others right. To exist and do research we must make money to hire the people to make the things that provide value to the world. I know that if I want to continue to follow at Sophos my passion of impactful research, I also need to be sure it has value and contributes to the safety and productivity of my customers, which in the end will ensure the bills that cover my research are paid.

If on the other hand we let the needs of the business outweigh the needs of our customers, we end up in dangerous territory. There are stories and research published every day by those seeking to make something into a big problem that only they can help you solve. This behavior is so prevalent that a prominent cybersecurity journalist, Patrick Gray, has resorted to calling cybersecurity vendors “Snake Oilers.” The behavior does no one any good and in fact often results in organizations focusing energy on things that are a sensational flash, even while they suffer data breaches from someone using the boring stuff to compromise them.

For research in particular, there’s a third aspect to CQ. Often, the most interesting research is a result of what I will call the “intellectual pursuit of happiness.” Curiosity will lead us down many a joyful path, and the joy of unraveling a complicated security mystery is what drives so much of our greatest work. To get the most impactful results from our work we need freedom to pursue these curiosities and share our findings with our peers. This work is often the highest CQ of all.

CQ is a test that our published work, from research findings to our corporate communications, takes to make it out the door. Our assessment has many dimensions, which we intend to share in a follow-up post. It is something we expect all our staff to apply to the tasks they are responsible for and in the interactions with our customers through technical support, sales, and marketing events we participate in. In essence it must be an ingredient in all our recipes if it is to have meaning.

How does CQ work in practice? If we’re doing it right, it is a virtuous circle, and the tenets of CQ guide us to deliver projects with quality, respect, integrity, and usefulness at their core. As noted above, we’ll be laying out specifics of how we address and (when possible) measure each of these four aspects in a later article. For now, though, let’s ease in with a few examples.

Seeking CQ: Three failures

For a depressingly common example of the sort of trouble CQ seeks to avoid, imagine that Company X has a new product about to launch. The public will all too often see some Company X “research” published that is so sensational it is bound to grab headlines. This research is used to generate interest in the product launch, yet even a cursory glance or scratch of the surface of this so-called “research” unveils bias, manipulated statistics, and crimes of omission.

Here’s another. Perhaps you’ve seen a sales presentation from Company Y about their new solution that effortlessly stops all threats: Nex-Gen Snake Oil 2023 Professional. The total cost of ownership is 60% less due to you no longer getting infected, no longer needing to threat hunt, and no longer needing to handle incident response. Sounds great! Sign me up, right? One little gotcha: With 100% detection (“stops all threats”) comes a 10% false-positive rate, resulting in a 2,000% increase in support calls and a 20% drop in employee productivity. No CQ applied.

CQ can be critically low beyond the world of product launches, of course. Earlier, we described work stemming from the intellectual pursuit of happiness as a helpful indicator of potentially high CQ. It’s true overall, but sometimes the “hey, cool!” factor can actually detract from high CQ. Imagine a researcher who theorizes that singing to your computer can improve its security. (We’ve heard worse.) Pursuing research on musical infosec might well lead at some point to tools that customers can embrace. However, if we were to declare that “everybody will love musical infosec and this will differentiate us to customers!” and immediately made it the new Sophos product interface going forward, that would be a low-CQ moment – quality uncertain (and frankly probably low without a remarkable amount of interdisciplinary research underpinning it), respect and integrity potentially high, but usefulness almost definitely poor – literally a tone-deaf-CQ moment.

Researchers – X-Ops’ contribution to Sophos as a whole – should be unafraid to explore and think weird thoughts, but high CQ means that even researchers must ultimately have a sense of how their work speaks to the needs of the business and the customers.

If you are applying CQ principles to products and the research that leads to products, these problems cease to exist. You will be doing research that identifies actual problems that are leading to organizations being compromised. When it is time to announce the new product or feature, you have a wealth of research to support your claims. Because the research is in service of customers’ actual needs, you don’t need to use sleight of hand and gimmicks. Your research advances the state of cybersecurity across the industry and makes sure customer protections stay focused and relevant, purposefully innovating rather than just throwing “cool” or trendy features into products. The worth of the work speaks for itself and supports the greater good.

All our work stems from our relentless pursuit of facts. Our experts then use their expertise to interpret this information to establish ground truth for others to build upon. Public relations, marketing, product management, and other teams work from this ground truth to ensure their work aligns with what we know — not the other way around.

With 24-hour news channels and a media landscape desperate for ad impressions and clicks to eke out an existence, it can be tempting for cybersecurity vendors to exploit peoples’ worst fears and thirst for outlandish headlines to further an agenda. The problem is when vendors participate in this kind of activity, they not only muddy the waters, they distract the audience from the truth – and decrease its ability to respond to actual, current threats.

Living CQ: Three examples

For more information, watch this space for the second part of our CQ series, where we’ll lay out how customers can use CQ to navigate the current security landscape, especially as they assess potential partners and vendors. (We’ll also discuss some interesting business considerations that arise when CQ is part of the daily mix.) In the meantime — and just in case you’re done with the bad hypothetical examples and would like some good real examples — here are a few Sophos projects we point to internally as examples of high CQ, with some thoughts on why:

The Sophos X-Ops blog – This is a no-hype zone; researchers are encouraged to dig deep, cite non-Sophos research where appropriate, question everything, and generally show their work.

Sophos Trust Center: Trust must be earned, but you certainly shouldn’t take our word for it. To earn your trust we feel that we must be as transparent as possible with regard to our own security, coding practices, and governance.

The Active Adversary Report (link goes to April 2023 edition): Now in our third year (and at this writing, deep in the process of assembling the second of 2023’s three editions), AA reports on what our Incident Response teams have seen in the field lately.

Cybersecurity is harder than it has ever been, and as a responsible vendor in this space we must help highlight the biggest risks, and moreover help others comprehend those risks so they can respond appropriately to defend themselves. Practicing CQ ensures we are always on the right side of the line. Cybersecurity is a business of trust, and in the 38 years Sophos has been securing people, we have always put their trust at the front of the line.

 

Exit mobile version