I am confident many of you have heard the phrase “whole of government” before. Just in case you haven’t, in a nutshell, here is what it is: agencies and departments working across portfolios to execute on a shared purpose. For some time now, I have even called for a “whole of nation” approach, specifically relating to linkage between economy and security, but that’s a conversation for another time.
What you may not see too often though is a “whole of organization” solution when it comes to cybersecurity. Sure, there are great individual (read: silo-based) approaches that can improve certain facets of your business, but ask yourself: are they really making the business/organization/enterprise better? And more importantly, are these silo-based approaches working for you?
It’s a tough question – in part, because of the subjectivity that comes with the word “better” as opposed to a clear metric – and the answer may not be as obvious because when you take the silo-based approach you do get some results. Think working out for a moment. Doing bench presses until you’re blue in the face may allow you to push 300 pounds, but does that make you a stronger runner? Does that improve your cardiovascular health? Does it mean you’re healthy?
You see, the silo-based approach focuses more on goals – pushing 300 pounds – as opposed to systems – all around better health. Great non-cybersecurity reads here and here by Scott Adams and the works of Nassim Nicholas Taleb, respectively, on the important differences between the two.
Reverting back (“way back” for a moment) to some research work in the business continuity field, I vividly remember an instance when I was talking to an unnamed person, curious about my research. Generically, I said “I’m looking at best practices in business continuity as a whole.” I will never forget the smugness of the response, smile and all, when this person said to me, “you’ll come to realize that this project is too large and too difficult for you to undertake.”
Apart from the obvious shot, this person went on to say that I should look at something more “manageable” like “a smaller slice” of the problem and worry exclusively about getting “that part” right. This prompted my response that went along the lines of: that’s exactly the problem, if you’re not looking at the entire problem to see how these interactions play themselves out, the inherent vulnerabilities will still remain and may even get worse.
That’s the difference between goals and systems. You can have individual goals working at peak Swiss-made watch precision (and complexity) but if the system has other faults, you may as well be using a tilted hour glass to tell the time. And here’s the real kicker: as much as you need to respect the fine craftsmanship of an expensive automatic watch, you’re going to get more reliable and accurate time readings out of a cheaply made (and simple) quartz watch. Again, it’s finding what’s right for you and your needs.
Let’s wrap this back to cybersecurity: if you’re not looking at the organization’s full risk profile, you’re going to have gaps in your cybersecurity posture. And some of those gaps may be so wide you can drive a bus through them and still have room for a jumbo jet without putting a scratch on either of them.
More importantly, if you’re looking at the full risk profile, if done properly, you’re looking at the cost of all business impact and not just the cost of network downtime. Put another way, if your CISO isn’t giving equal weight to the cost of reputational damage and a downed server, both caused from the same cyberattack, find another CISO.
One of the main reasons that I’m a big fan of the NIST Cybersecurity Framework (version 1.1 was released this past April) is because it gives you a roadmap of “the cybersecurity system” within which your organization operates. Having the roadmap helps you understand the business impact also. The NIST CSF gives you a pretty good primer of what your system looks like, regardless of what line of business you’re in or what your size is. And you will, perhaps surprisingly, perhaps not, find that every single organization basically faces the same cybersecurity problems.
The trick is to match up that primer to your organization’s system and then implement the appropriate solutions. And know that I appreciate this is easier said than done, especially when you have internal dynamics and interests challenging each other. Implementing something like the NIST CSF is just as much a practical exercise as it is a political one. That’s why you need to take the “whole of organization” approach.
If you have followed my writings, you’ll know that I’m all about reducing human vulnerabilities. I still believe they’re the biggest threat to you and your organization because they present a fat tail risk that can be incalculable (spearphishing, emails, cough cough). Yet, with that said, if you’re an organization that has multiple devices connecting to the internet and you don’t have some type of modern machine learning anomalous activity monitoring and response software protecting your data, you’re looking for a bruising. There is simply too much traffic and data out there for a human to manage, but one can certainly be at the helm of that software. You need that balance. Too much in one direction and you become dependent on technology; too much in the other direction and your arrogance could lead to a death blow. And everybody’s balance is different.
So, to summarize, it all comes down to finding the right solution for your organization, hence the “whole of organization” approach I am strongly hinting at. You are ultimately making a business decision and there are issues of use, access, and scalability, all of which need to be considered. And the default position of “more tech” should not be the default position. It should be “right tech” and “right training” and “right permissions” for your entire organization. And that requires you to appreciate that an organization of 1, 100, or 10,000 has very different needs, but also, in select spaces, has the same needs. If you can master that trick of finding what’s right for you by appreciating the power of the “whole of organization” approach (the “system”) you will work wonders in reducing your cyber risk profile.
By George Platsis, SDI Cyber Risk Practice
August 14, 2018