What do woods and trees have to do with Cybersecurity?
The need for perspective. That and being able to understand the context in which things are happening.
The online world is highly complex, it is volatile, ambiguous and often hard if not impossible to determine whether what we are seeing is real or faked. Navigating this landscape safely and securely requires care, attention and perspective. It needs sensitivity as well if we are not to be a problem to someone else.
This blog is about understanding, assessing and managing risk. We chose the title because it encapsulates one of the essential factors in effective risk management – understanding the context in which a risk might materialise. It also implies that there will be different perspectives from different individuals. This is another key point – “departments” or “business units” do not perform risk assessments. People do. Sometimes as individuals and sometimes as teams, but each contributor brings their own “map of the world” to bear on the assessment. As such, it is essential that each participant, contributor and stakeholder has enough accurate and timely information about the risk being assessed and the context for the assessment if they are to produce actionable output.
Where do we start?
There are numerous books, papers, blogs and presentations online that set out different approaches to assessing risk. An online search for “risk assessment methodology” produces roughly 2.4 billion results! The Institute of Risk Management (Institute of Risk Management (IRM) ) and the International Organisation for Standardisation (International Organization for Standardization ) are amongst the more credible sources, but there are many, many more. Each organisation should choose a methodology and approach that is appropriate to their culture and the nature of their operations. Successful integration of risk management across any organisation is not a result of choosing method A or method B but ensuring that the chosen method is applied consistently across all risk assessments. It also relies on risks being managed at the appropriate level in the organisation.
Another key factor is avoiding “paralysis through analysis”. The focus of any risk assessment should be understanding enough about what might happen to determine
What needs to be monitored for early indications of the risk becoming reality,
What to do should the risk manifest itself
What business-as-usual will need to look like after response and recovery operations are complete.
The notion that everything will go back to how it was before, with the benefit of the experience of the COVID pandemic, now seems rather fanciful but was a common characteristic BCE (Before the COVID Era).
What an organisation chooses to invest in managing risk is also not something to which simple rules are suited. When you take into account the estimated or calculated likelihood of a risk occurring, the possibility of detecting that the risk has occurred, the impact it would have on the organisation and the potential costs to respond and recover, there are clearly multiple factors and some fairly serious decisions to be made. The main thing is that all of these factors are considered based on sufficient analysis to inform decision-making in a defensible and reasonable manner. There is no such thing as a perfect decision, only degrees of imperfection. If you can conclude that a reasonable person would agree that you have taken sufficient care in your decision-making process, then you have a position you can work with and defend.
Who is vulnerable?
One of the arguments we hear a lot in discussions with individuals and organisations about cybersecurity risk is “we aren’t doing anything worth stealing/hacking/attacking”. So we all understand that not every organisation has massively valuable intellectual property or squillions of digital dollars to steal. An insecure computer connected to the internet will be compromised in less than one minute – this is a result of the world-wide-web being infested with scanners looking for new IP addresses to probe. As soon as a new machine appears, it is scanned for vulnerabilities and if it has none, it will be compromised in some form. So even if you “only use my pc for email and web access”, there may be someone else using it for more nefarious purposes without your knowledge. Ignorance is no defence in law, neither is negligence and if we are going to be completely honest with you, dear reader, we see the failure to protect connected devices as negligent. Since the bad guys are constantly innovating, we cannot get complacent for a minute, as what was secured today could be vulnerable by tomorrow and the malicious software never sleeps.
[Aside: This excellent Blog by the aptly named Rob Sobers provides an excellent high level summary of some of the data we should have in our minds relating to cybersecurity breaches: 98 Must-Know Data Breach Statistics for 2021 ]
What has COVID-19 taught us?
What can we learn from past cybersecurity experience and the changes to working patterns, and the risk landscape, caused by the pandemic?
Firstly, there are clearly a large number of dedicated, skilled and experienced professionals who have worked incredibly hard to implement secure remote working solutions in timescales previously deemed impossible. Entire security policy positions have been redesigned in weeks having proven inadequate to deal with the restrictions on movement and social contact. These are but two examples of some of the heroics that have been seen across the world over the course of 2020 and 2021. This tells us that when we have to, we can achieve incredible amounts of transformation in very short timescales where the will (and of course the budget) exists.
Looking back on how these transformational activities have then evolved through experience, we have also learned that we can evolve services, processes, policies etc in small incremental steps as we identify flaws in our previous thinking. The “Big Bang” approach is not the only way to transform.
We have also learned that the definition of “good” for systems and online services now includes being secure and protecting privacy by design. Aside from the increased visibility in laws, regulations, boardrooms and management schools about cybersecurity and privacy the ICT industry and its customers are seeing that systems that meet the requirement to be secure and private by design are easier to maintain, cheaper to operate and most importantly, easier to evolve than those where corners were cut on design work, security, testing, and documentation in the interests of saving money.
The pandemic has also brought into sharp relief the need for organisations to pay far more attention to the mental health and general wellbeing of their people. Old, industrial, command styles of management are no longer widely accepted, though do still exist in places. Working remotely has forced managers to be more proactive about checking in on their people to make sure they are coping instead of relying on seeing them in the office and concluding that they seem fine.
Managing stress in a security incident
Security incidents arising from risks becoming manifest are one of the most stressful events that many people will face in their professional lives. Normal goes out of the window when your entire network is taken offline by ransomware. Time becomes a really precious commodity and there is always a temptation for certain personality types to come to the fore and “take over” using individual heroics to try to solve organisation-wide problems. Having been involved in a few such incident responses, we can testify to the fact that such approaches can do more harm than good, especially on the humans involved. As we mentioned earlier when talking about assessing risks, at the point the risk becomes a reality we also need to focus on three aspects of response (in the language of our forest and trees metaphor):
one team is focused on putting the fire out, and investigating how it started another team is focused on preventing it from spreading beyond a manageable boundary, which might involve actually cutting down some metaphorical trees to create fire breaks. a third team follows the fire control team around, regenerating the soil and planting new trees in such a way as to prevent a similar fire in future.
Each team needs to understand what it is responsible for (its own trees) and what the other teams need in order to do their jobs (the forest). There needs to be constant, formal communication so that records of decisions and actions can be reviewed in the cold light of day once the incident has been fully resolved. Duplication of effort must be avoided as it not only increases stress and confusion it is likely to exacerbate rather than mitigate the problem at hand. Trust within and between teams cannot be assumed in any organisation large or small, so must be worked on through rehearsal, respectful but direct communication and through learning the skills and techniques of collaboration and multi-team cooperation. Nobody has all of these skills innately, they need to be trained. Each team needs to learn how to work effectively together within their team first. They also need to learn how to work effectively with the other teams.
Invest in people or watch them leave
As someone who, many years ago, played sports to a decent level, it has always surprised me how little coaching is offered by organisations to their people at all levels. We have talked a little about this in the podcast as organisations expect high performance, yet do not invest in the kinds of coaching techniques that elite sportspeople use to improve over time. Usain Bolt was not going to run 100 metres in 9.58 seconds without coaching assistance. Why is it we expect our leaders, managers and contributors to be able to deliver and evolve their skills without being helped by specific experts? I recall watching the Olympic rock climbing in Tokyo 2020 listening to one of the pundits talking about the different coaches she had for different aspects of climbing. Leg strength, shoulder strength, arm strength, wrist and finger strength and agility, climb planning, safety, the list was long and each element has a specialist coach.
Few of us will ever reach that kind of elite status in our professional lives, but that does not mean we do not want to improve and learn and evolve over time. If our employers are not prepared to support and facilitate that evolution, what will it tell us about their attitude to us?
The histories of IT and cybersecurity are littered with the corpses of failed projects and programmes. One of the primary reasons for such failures is the lack of human engagement. because you can’t just tell people stuff and expect them to understand and accept it, let alone become enthusiastic about it. The DevOps model for application development emerged because it became obvious that collaboration between the providers and end-users was critical to success. It was also obvious that developers who also operate and maintain their software will have a vested interest in developing good, robust, maintainable systems.
Will good security habits result from 30 minutes CBT annually?
Obviously not. Yet this is the expectation of many, many organisations. In a blog for the British Computer Society (Why security needs to stop blaming the end user | BCS ) I argued that too much emphasis is put on providing audit evidence of so-called “awareness training” being delivered to all staff in organisations as the problems that exploit the lack of understanding many non-specialists have are generally preventable. The security training that organisations put people through is inadequate and too generalised, short and infrequent to have any lasting impact on actual behaviour. You don’t generate habits by sitting someone in front of a computer screen for 30 minutes once a year.
We have to do far better in educating and instilling that kind of mindset into the rest of the technology domain, which is much wider than what we do. Because whether it’s entirely correct or not, the general perception in organisations and in the general population is that cybersecurity is the technologist’s problem. Now, if we can get people thinking, on the one hand, thinking about how to be safe and secure when they’re working on computers, and that’s assuming these days that every computer is networked, so it is online. We need to give those people confidence that we’re winning the argument within the technology domain. Otherwise, why on earth would they want to listen to us? So my appeal is to everyone involved in technology. And everyone involved in cybersecurity is that working together we can make the online world safer and more secure for everybody. But unless we work together closely and see that we have a symbiotic relationship, that if we work together well, we do amazing things. We are greater than the sum of the parts. If we don’t work well, all we deliver is more problems.