Part 2. Rethinking cybersecurity from the viewpoint of risk
The ability to estimate risk presumes a certain level of insight into relationships, both technical and human. Yet, too much has been made of the idea that trust itself is our enemy. It’s a simplistic argument, pushed by cybersecurity hardliners, which leans on the trite Russian proverb “Trust, but verify!”. In my view, that can’t be the answer. Apart from being too corny and a convenient scapegoat, the world is built on trust. It’s not our enemy. True, if we can’t trust, then we have to verify, and verifying is expensive, but would we rather be dragged down into the weeds on every single issue? Unless we can gamble our safety on the familiar trusted relations, we wouldn’t be able to afford the modern world.
The key pillars of cybersecurity are well known. Broadly, they cover access control, identity management, and privacy issues. Many companies have policies for those on some level. Data protection can be handled by a firewall, backups, and some encryption. Access settings can be automated from policy, for consistency and reliability. But how can we protect against a loss of reputation or identity? That’s not something you can simply reinstall from backup. In a crisis, an organization needs to act as a single entity, but often we find ourselves all over the place. Fixing the holes in trustworthiness requires a policy that covers both human and technological procedures.
Compliance frameworks and their audits try to impose discipline onto organizations, in order to promote minimal standards, but in doing so they might actually distract us from dealing with the pressing risks in a natural way. But they aren’t going away, so we have to find a way for compliance to coexist with institutional imperatives.
In the figure below, I sketched a simple Wardley map of the kind of trajectory many organizations take in managing risks. Most will begin simply with some kind of monitoring capability, looking to detect anomalies and intrusions–hoping to wing it in a crisis. There is automatic patching and scanning for viruses, which usually won’t pick up any issues because that’s a well solved problem for all but the most negligent. It’s all basic personal hygiene. At this point in our maturation, however, we have a choice: do we take matters into our own hands or outsource? Whatever we choose, there’s a nagging problem. None of the measures can or will prevent every possible disaster from occurring. So what then?
The trajectory of a organizational risk management
There are simple steps an organization can take to manage that risk, alluded to in the figure. I’ve discuss this in a new book, written with Patrick Debois.
The working relationships in an organization are the links in our supply chains of process. Every concerted effort in an organization is a supply chain that can be disrupted. If we’re not ready for that and the all important arteries of process are attacked, we’re vulnerable to catastrophic failure. Independence is the retreat position of last resort.
With a few simple techniques, we build up knowledge and learn to make use of the network of employees that develop and embody it. These are the essential arteries of an organization’s–the lifeblood of its intelligence and ability to respond. We have to acknowledge that managing risk involves the managing of relationships, respect for roles, and readiness to act, with the skills at hand. Thinking in Promises is one way to approach that, as I’ve written many times before.