New Google vulnerability: Learn about zero-day CVE-2022-3075 in Chorme web browser  | Fix now >> 

The CyberRisk Summit on-demand: Watch the latest #CRS anytime, anywhere | Watch now  >>

New report: Mapping MITRE ATT&CK framework to CVEs |  Read more  >>

Perspectives

Cyber risk - enter the stage manager

Managing the moving parts of cyber risk is a balancing act with big benefits - and consequences. Here's how we fit in.

Mike Parkin | September 05, 2022

Cyber security can be a complex beast. There are dozens of moving parts, competing interests, short timelines, potentially high stakes, personalities in play, and a host of other players, all trying to please a demanding and sometimes fickle audience. What’s worse, people in cybersecurity have to do all this under the constant external pressure of new threats and persistent threat actors.

Looking at this and trying to find a good analogy to explain what we do, especially to someone not directly involved in cybersecurity, can be a challenge of its own. People in the industry understand the moving pieces, how threat surfaces evolve, how often new vulnerabilities appear, how quickly threat actors find them and exploit them, and how Security Operations and IT teams do their parts to keep the environment safe. 

But outside the industry? We still have to deal with users giving away their passwords to random strangers on the phone and opening suspicious email attachments.

Explaining what we do here at Vulcan Cyber, to someone in the security operations, is easy. They understand how silos work and how hard it can be to get the right information to the right people to get the fix in place. They recognize why a tool that consolidates information, prioritizes risks and points out the appropriate remediation, is so important. But how do they get this across to the rest of the people who need to understand? The folks over in development, or IT, for example?

That’s where we come to the analogy of the stage manager.

Theater here can be a good analogy. Even if you’ve never done theater yourself, you’ve almost certainly seen something on stage. People are familiar with a lot of the moving pieces that go into a theatrical production. They know the actors, of course. Those are the ones who are front and center and get all the accolades because a good or bad performance can make or break a play. People also often know the playwright who wrote the show, and the director who pulled it all together. The writer may not show themselves, but the director often makes an appearance sometime between the audience taking their seats and getting up to leave.

There are a lot of other elements that may not be quite so obvious, but the audience intuitively knows are part of the production. The costumer. The lighting designer. The musicians if there is live music, or the person at the soundboard if there’s not. The props folks, and the stage hands who move everything in and out of position.

But there is a piece to this puzzle that only the theater geeks in the audience know and appreciate, and that’s the aforementioned stage manager.

The stage manager has the sometimes unenviable task of making sure everything else falls into place. They’re the ones who make sure the actors take the stage on time, the props are in place and ready to go, the stagehands are ready to move sets and help with quick costume changes, and myriad other things that happen behind the scenes to make the show a success. You can have a show without a stage manager. But it’s a really, really, bad idea and you'll be setting yourself up to fail.

How to manage cyber risk

In cybersecurity, it’s similar and I’ve been using the stage manager analogy to describe what we do. When I talked to people at this year’s RSAC conference, the overwhelming response paraphrased to “cool, that makes sense.” Though that does raise the question of how many of us in cyber security now were theater geeks in school. But I digress.

What we do is not the “on stage and in front of the world” that people often think about. We’re not the firewalls keeping unwanted traffic out of our environments. We’re not the endpoint defense keeping malware from ruining our day. We’re not the scanner looking for flaws, or the assent management tools deploying fixes across the environment. But we are the ones who make sure all those other parts work together smoothly

It’s not a perfect analogy, of course, but it gets the point across.

The Vulcan Cyber risk management platform pulls in information from all the disparate parts of the security stack, and the asset management stack, threat intelligence, etc., and combines it with the organizational knowledge needed to make sure everything can do its part to keep the organization secure. 

The actors and lighting technicians may not talk to each other directly, but the stage manager keeps them on the same page. Which is what we do in the cybersecurity space. Where the scanner might find the flaws, we’re the ones who make sure the patch management system is able to prioritize them and address the most important ones first.

Cyber security shouldn’t be “security theater” like, say, those long TSA lines at airport security can be. But chances are your security and IT operations will work together better with a stage manager in there helping things run smoothly.