Part 3. Rethinking cybersecurity from the viewpoint of risk
Policy is the centrepiece of both cybersecurity and risk management. Having a policy, as well as knowing it and understanding it, is the way to be prepared for the inevitable–whatever that may be. If you don’t know your intentions well enough to be able to write them down as a statement of policy, you’re already floating up Risk Creek without a paddle.
Policy’s role is to act as guide, guardrail, and compass for everyday work. Every organization has its mission, its purpose, which must remain its focus in brushing off attacks. Unfortunately, we treat security and risk management only as a fire extinguisher to be rolled out only in the case of an incident. Unless we can live by rigorous policy every day, it will remain unfamiliar and unrehearsed, and thus ultimately be ineffective when crisis strikes.
That’s where “bow-tie” thinking can help.
In our new book Promising Digital Risk Management, which was developed while working with Orchestra on basic research, Patrick Debois and I propose a feedback process that we call a bow-tie model. It’s a human-technical way of getting everyone on board in a concerted effort to manage risk. If you’ve heard of Agile and DevOps, then this idea is hardly new. But the devilry is all about the execution.
There are two kinds of bow-tie model, as it turns out. They apply equally to cybersecurity and digital risk. The first is a traditional before-during-after model, about what to do in an incident. It has been around for several years, and it suffers arguably from the weaknesses of encouraging mainly reactive thinking. Now an improved version, presented in the book, reformulates institutional actions more in the image of the well-known OODA loop, and can be developed as a broad organizational process starting with the simplest of methods. It’s about collaboration across all layers of an organization.
The modified bow-tie model came out of research, carried out together with Orchestra, into integrating compliance and internal processes into a single knowledge-based framework. In this version, the knot and loops of the bow-tie don’t represent events leading to an incident, but rather they represent funnels of ordinary day-to-day information and advice gathered from inside and outside an organization (see figure).
The information funnel bow-tie model sketch from Burgess & Debois is described in detail as a workflow in their book.
On the left side, we have an array of standards organizations and industry actors offering advice and updates to follow. By itself, that advice is too generic to be of use. We need to apply it in context. On the left, we have an observant staff and an IT infrastructure that is constantly working on the front lines with eyes and ears open to understand that context. The summed knowledge from the right eventually filters back to the industry-wide actors on the left from bitter experience, but long before that, we can use that knowledge ourselves to shape policy with context. The finer details are described in Burgess and Debois’s book.
The bow-tie is not magical or mysterious. It’s just good knowledge management. It’s an information process, quite separate from routine patching and hardening of IT systems. Prevention is always better than the Cure (though don’t tell Robert Smith!), so we actually need to plan both at the same time to manage risk. Setting up a policy bow-tie model is a way to impregnate every organization with day to day hygiene practices so that when an incident comes, we’ll be ready and know exactly what to do.