How Sutton’s Law Applies to Cybersecurity Today

In my previous article, I raised a red flag about the diminishing practical returns of “mom and pop” threat research as a proxy for mitigating vulnerabilities and bad consequences. Threat assessment is often both difficult and incomplete, and sometimes best left to those who have timely access to the best possible data (and the even then, left to those with the military and intelligence means to act on it).

In that piece, I also begged an obvious question.

If chasing threats are not the best allocation of an organization’s security resources, what is? Where should we be focused and how can we best translate that attention to more effective—and efficient—cybersecurity?

Allow me to answer that with a brief portrait of a driven, iconoclastic, 20th century American financial entrepreneur named William Francis Sutton, Jr. Beginning in the early 1930s, Sutton began his extremely successful and profitable 40-year career—as a bank robber. Not only did his particular skill set net him an estimated $2 million and earn him the nicknames “Slick Willie” and “Willie the Actor,” his most famous insight also left us with a truism that is now referred to as “Sutton’s Law.”

Which is why we should consider Sutton’s quote as particularly relevant to cybersecurity today: Why do threat actors go after cyber assets? Because that’s where the consequences of significance are.

From financial information and personal data, to access to trade secrets, customer information and patterns—data has become the most consequential asset for many organizations, and the most valuable target for threat actors. Whether their motive is financial gain or maliciousness, they are hoping for two things: easy access to what they are after and maximum impact for their efforts.

Which aligns directly to the cybersecurity risk paradigm: a triangle comprising and illustrating three components of risk: Threat, Vulnerability and Consequence. We have already established it is challenging for individual companies to accurately characterize threat, or successfully mitigate it even if characterized. That leaves Vulnerability and Consequence.

Not necessarily in that order though—unfortunately, many organizations are not nearly focused enough on closing known vulnerabilities that allow breaches. I won’t name names here—any news site on any day will give plenty of examples, and many CISOs breathe silent sighs of relief that it’s not their turn today. It’s remarkable to think about how much damage can be prevented with just fundamental, basic security hygiene. Most people would be stunned at how much that inattention to vulnerability management is responsible for the data breaches we so often hear about.

That said—and for the sake of discussion, assuming basic hygiene protocols are indeed followed and signature-based blocking of known threats is employed—let’s apply Sutton’s quip of “that’s where the money is” to the most-overlooked aspect of cybersecurity risk: avoiding bad consequences.

We need to identify the most destructive potential results of a realized threat or exploited vulnerability, and engineer-out those consequences so they cannot happen or so the damage incurred is not as big if they do. Either can be effective threat mitigation—because threat actors will quickly conclude that their attempts require too much difficulty, or there would be little or no return on investment for their efforts even if they successfully penetrate a system.

Were he alive today, Willie would surely advise us: Don’t make it easy to get to the money, and don’t put the money all in one place. When we focus our attention on the things we can control—Vulnerabilities and Consequences —we create a dramatic increase in protection, and fully comply with Sutton’s Law. 

Next time, we will use these principles to explore some fundamental best practices of cybersecurity—some obvious, some not and some controversial—that can greatly improve the security of any network.

Original article published in CSO and can be found here.