In American
military circles, there exists a term “embrace the suck”.  It means to consciously recognize and accept that
something will be extremely unpleasant so as to not let it discourage from
pursuing the best path to success.  It is
often characterized as a situation that is misleadingly easy in appearance from
an outsider’s view, but extraordinarily difficult in practice.  It forces operators to optimize their
situation, knowing it will never be comfortable, and pushing through anyway.  With this mindset, professionals are driven
to follow the best path, fully knowing it will be very difficult, and not concede
to find the less productive but easier course.

For
cybersecurity, measuring our value is this friction that we must contend with.  The effort to do it right and achieve
sufficient accuracy simply ‘sucks’ to accomplish.   But
without showcasing value, investment and empowerment will wither, thereby undermining
the security organization’s capabilities to protect and enable the business. 

Calculating security
value is an extraordinarily difficult ask that unfortunately dissuades many leaders.  They often pursue a theatrical path of flaming
fears and doubts, or disregard the exercise altogether and attempt to operate
without a clear picture of justification. 
Such fear and ignorance will suffice for some time, but ultimately bites
back in painful ways.

Accurate portrayals
of value are foundational in establishing a sustainable strategy that aligns
with the goals of the overarching organization. 
It reveals a goldilocks zone where investment and empowerment are not
too little and not too burdensome.

The
cybersecurity industry must take on the struggle, knowing toil will never fully
go away, and work to reduce the friction We must shed our anxieties and forego the illusionary
poor-excuses of value couched in fear, in order to better convey meaningful
cybersecurity investment.

The whole keynote presentation is available: https://www.youtube.com/watch?v=VQ31V-lVsKA&list=PLkMjG1Mo4pKKjDFBtB2JZJ9OtKA_QSYBV