The allied military forces engaged in operations in Iraq and Afghanistan nearly 20 years ago were confronted with the challenge of Improvised Explosive Devices (IEDs), which were roadside bombs that detonated remotely and inflicted casualties and damage to military personnel and materiel. Major research efforts on how to detect these IEDs and detonate them harmlessly, or to infiltrate and disrupt bomb manufacturing, were referred by the idiom “Left of Boom.” “Left” is the program management concept for the early side of the programmatic timeline, as in “Move this project to the left.” Of course, “Boom” is self-explanatory.
The phrase “Left of Boom” was catchy and caught on in other domains, like healthcare and critical infrastructure, or any domain in which preventive and proactive measures should be taken to prevent or limit harmful consequences. “Left of Bang” would be occasionally interchangeable with “Left of Boom.” About 15 years ago, the idiom began to be applied to cybersecurity, where the risk management continuum values the investment in protection to mitigate the negative consequences of a cyber incident.
We can never eliminate risk entirely, but we can manage it effectively with “Left of Boom” processes and procedures. The primary job of the Chief Information Security Officer (CISO) is to exercise continuous diligence in reducing risk, within the risk appetite and risk tolerance of the organization, so that the likelihood of a boom is low, and the corresponding magnitude of harm is limited. Achieving “Left of Boom” cybersecurity is a journey on which every CISO should be embarked.
An effective cybersecurity and risk management program encompasses numerous processes and procedures, and implements dozens of programs, capabilities, and tools, all being managed by competent and qualified cybersecurity professionals. When harmony is achieved among all the various elements, a holistic defensive posture can be demonstrated to senior leadership and oversight authorities. Getting started on such a path can be intimidating, especially for smaller organizations with limited resources, but these are some of the solid steps to be considered on the path to “Left of Boom.”
It wouldn’t be practical for any CISO to proclaim that “Left of Boom” is the security framework that will be implemented in the enterprise. It’s a concept, and a catchy slogan, but it’s not a framework. Fortunately, cybersecurity frameworks exist that, if implemented effectively, can provide “Left of Boom” proactive cybersecurity and risk management defenses. Here a few worth considering.
If the approach to “Left of Boom” is considered the best way to approach cybersecurity and risk management in an enterprise, then what is “Right of Boom?” In most cases, operating “Right of Boom” is extremely consumptive of resources and counterproductive to the business operations and mission of the enterprise.
The reality is that “Right of Boom” happens and preparations must be in place to account for a “Right of Boom” situation. Fortunately, some “Right of Boom” processes and procedures can inform some “Left of Boom” activities, thus providing a valuable feedback loop. In fact, it can almost be argued that “Left of Boom” exists as an idiom because “Right of Boom” has happened too often.
Disaster Recovery Planning (DRP), Business Continuity Planning (BCP), and Continuity of Operations Planning (COOP) all are “Left of Boom” activities, but they get put to the test in a “Right of Boom” situation. It’s extremely important to develop these plans, engage leadership and all stakeholders in putting them together and exercise them regularly, and then pray that they never have to be used.
If or when an incident occurs, all the “Right of Boom” processes must kick in effectively, including incident response, triage, systems isolation, systems reconstitution/restoration, forensics investigation, security event analytics, and lessons learned action plan. It’s important to note that an unfortunate incident may have disrupted operations or impeded mission accomplishment, but also provided critically important information by which to fine tune the organization’s “Left of Boom” capabilities.
Although he didn’t realize it at the time, Ben Franklin actually may have been our nation’s first CISO. His statement “An ounce of prevention is worth a pound of cure” is as “Left of Boom” as it gets. His point was that preparing for an event is far more efficient than responding to an event. Ben Franklin was an accomplished and knowledgeable Founding Father, and his wit and wisdom are well to us. Also attributed to him is the statements “By failing to prepare, you are preparing to fail,” and “A little neglect can yield great mischief.” Ben Franklin might not have actually been our nation’s first CISO, but he certainly understood “Left of Boom.”
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels