I recently received an email from an old friend that reminded me that 20 years ago I earned my CISSP, the long-time gold standard for cybersecurity certifications. As a builder, defender, and leader, it’s frustrating to know I have the best knowledge, tools, and support of any time in my career but none of our adversaries must have certs or degrees or even nice things, and they still kick our collective butts every day. Why and how have we arrived at this point in history? We have global cyber warfare breaking out of the shadows and into public awareness, unrelenting cyber-attacks, and cybercrime along with the civilian analog to event fatigue, manifest in the general public’s indifference to ransomware, data breaches and identity theft. This really hasn’t gone according to plan yet for the good guys.
As I was writing this, I went back through one of my old textbooks from the era of my CISSP test to see how we used to characterize and measure risk. I found it difficult to nail down what the best minds of that time considered risk, they used it as a noun and a verb, and it was also a trigger for actions, but it wasn’t clear what RISK was. A few years after I passed the certification, the US Government codified cybersecurity “Risk” with the release of the Risk Management Framework. I’m not sure why, but to this day most people in IT and Cyber still struggle conceptually with Risk. Lots of books and frameworks and tools but ask 20 cyber professionals how to best assess it and how to use it to make decisions and you may get more than 20 answers. In the last five years, threat models have become more important to cyber professionals mainly because I believe they are more intuitive than risk from an operational perspective. Look at how in the game of cyber buzzword bingo, Mitre ATT&CK is everywhere because it gives us a common language and understanding to regain a modicum of control.
The National Institute of Standards and Technology (NIST) Risk management framework (RMF) was created to help provide guidelines to organizations to protect their information systems and data and effectively manage risk throughout a systems’ lifecycle. “Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector.” (from https://csrc.nist.gov/Projects/risk-management/about-rmf)
Commercial Cybersecurity is a whole other animal, and I will touch on that in a later blog. For right now, I am going to pick on the US Federal Government’s application of the RMF. When I read the definition above, it starts with “organizational risk”, yet RMF is always applied to individual systems (and for a standard, sadly the consistency in RMF is best found in its inconsistent application, within and across organizations). We try very hard to build new systems better than in the past but there always seems to be too many reasons why planning and execution end up drifting far apart. This disparity puts tremendous pressure on a cybersecurity team’s ability to manage cyber risk for the organization. Let me say this one more time for emphasis, the scope of Risk Management is organization wide, yet we always assess at the individual system level. I know, “how do you eat an elephant? One bite at a time”. Somehow, we think that with each new system, we might get it right and then we fall back into a vicious cycle of failing to meet or exceed the standard. And we thought Sisyphus struggled mightily? Ok, when does the elephant get reassembled to assess for organizational risk? If you don’t add all of it back together at some point your tactics never become strategic. Outcomes can be even worse when it is inconsistently applied. Somehow the “organizational risk management solution” expects miracles through technology and technology driven processes alone. Have you ever been in a meeting where the system owner chooses to accept risk out of ignorance so it doesn’t derail an arbitrary commitment date, alter schedule or cost profiles, or inhibit potential promotion opportunity? Risk takes many forms and sometimes its not the technology, it’s the people involved.
Well, here we are, billions of dollars invested in people, process and technology to get to the point where we have finally just had to shrug and “assume breach”. We even have oddly named the branch of cybersecurity assigned to corrective actions and mitigations, DFIR (Digital Forensics and Incident Response). This sounds oddly like DEFER, which is how we appear to be doing Risk Management as a community…as in “lets defer this till we have more time.” Inadvertently and unknowingly we have become really good at deferring or let me use official risk language, transferring risk as our legacy.
Why is this so hard? First, I think we are missing the opportunity to assess systemic risks first. Systemic Risk helps us better define the scale and scope of our “environments” which encompasses not only our mission and people, process and technologies, but how we interact with the world around us. Second, it comes down to the semantics of two words. They are the definitions of “Complicated” vs “Complex”.
We like to use the words interchangeably but in reality; they are very different in the context of systems. A system in this case can really be the sum of all the sub-systems within an organization (which could be a division, a department or an agency or civilian or defense or wait for it, something bigger yet, like maybe the “Internet” is the system). The exercise is more than the assessment of risk for a single systems’ view if in fact you are assessing for Organizational Risk. Risk management as we define and assess it works in complicated environments but generally fails in large, dynamic, complex ones. Why? Because we believe we can control the variables and we usually aren’t even aware of all the ones that actually effect/affect us. In cyber security today we are really kidding ourselves if we think we control all of the variables. We need to approach security from the mindset of Complexity instead of Complication.
Why does this matter? Most of our risk management controls are based on a premise that once we set them up, they will continue to work properly. There are many things that can cause that assumption to fail without introducing cyber bad actors and criminals. When we add them to the mix, well they are just the special chaos sauce we need to guarantee unrelenting cyber event tempo and failed risk management objectives.
I alluded to agile and DevSecOps earlier. I believe these modern practices can indirectly offer us a cleaner path towards Cyber Security and Organizational Risk Management success. I say this because of several of the fundamental principles of these practices, including the concept of observability, automated testing (and yes Continuous ATO can and should leverage the same automated testing infrastructure) infrastructure-as-code and immutable architectures (cattle vs pets). All these concepts/constructs will be instrumental in allowing the next generation of risk managers and security operators to apply cybersecurity best practices, tools, and people better than today. When combined with complex system thinking, they also enable data science and cyber security teams’ a better, cleaner view of data to make decisions from.
Organizational risk management success will come from acknowledging we can no longer use tools designed for controlling and predicting complicated systems behavior because complexity rules the day, and we are never going back.
More in the next post.
Like the old tv commercial, you can pay me now, or you can pay me later…
Time, money, resources, risks, and threats. Never enough of the former, way too much of the later. This pithy statement sadly describes the current state of cybersecurity for many organizations.
When you or your organization are under the gun due to cyber issues, just discovering a breach or data spill or in the middle of an active attack, how do you make the call? What gets the priority? Is it what makes the pain stop now, or is it what will minimize the pain going forward? What is your first response, Band-Aid, tourniquet, amputation, euthanasia? How in those moments do you know if you made a good decision or a career ending mistake? Do you review or grade your responses over time? Honestly, let’s just get out the short swords now everyone…
As an industry, I see more and more leaders take the quick seemingly painless route based on very little data and information. It’s an opportunity to buy a new product that appears to be custom made just for this problem, but as it turns out, it’s not helpful for next weeks’ issue at all and even worse it is not part of a bigger plan (usually)… oh and it’s hard to integrate with your other 31 “must buy now” cyber tools from the last few dozen events. That’s never happened to anyone reading this has it?
How many times can your organization absorb this knee-jerk route to cybersecurity before it no longer sustainable? Will there be any money at this point? Can you afford to make this kind of mistake more than once? Can you afford to make this kind of mistake ever? It’s one thing to be decisive when you have the information you need to make a decision, it’s another when you think you do, and you don’t.
There are entire libraries of books and published frameworks on how to secure your organization and manage risk effectively. The problem is nobody starts that way. Few people understand how to assess plan and manage risk, fewer do it continuously. The CISO never gets hired before the CFO. The IT and Cyber teams’ best intentions give way to overarching growth and operational needs and corners invariably get cut. The one absolute truth here is that it costs way more to apply security later than at the beginning. It feels right and noble when you are MacGyver’ing it together with your hair on fire. However, let’s not kid ourselves, to our adversaries, externally and internally, our infrastructures often resemble a shanty town, just after a natural disaster in their stark lack of resiliency and inconsistent application of policy and standards.
The whole point here is that we have made cybersecurity way too complicated and complex. We are so busy treading water we can’t take the time to prioritize changing so that we can actually improve. We have been trained to act decisively in our organizations and in our leadership cultures, but we constantly fall into group think and operate like a herd of prey animals. If I had a bitcoin for every time I heard “because that’s the ways its always been done” I would have A LOT of bitcoin. Effective Cyber Security Risk management boils down to three key areas, know your assets (what you have), have visibility to and baseline your network (what’s happening now) and use threat intelligence (what’s likely coming next) to inform your current and near-term cyber risk. Easy to say, hard to do in our modern world, but not impossible. More on this in a future post.
As a leader do you have a plan for the next 12-36 months to get and stay secure? Is it driven by a recent comprehensive organization-wide systemic risk assessment or do you just kind of hope (and pray) you don’t get popped (again, that you know of)? Probably not the former but hopefully your organization is better than the latter.
Imagine how great it would be if your technology helped you operate and manage risk better. We need to stop trying to convince ourselves what we are doing is the right thing tactically when all we are is “too busy to change”. Take that first step, assess your organizations’ systemic risk. Dig deep into your people, your processes, and your technologies. Take those findings, really assess your true risk honestly from an organization wide perspective and use well understood operations’ lifecycles like the NIST Cyber Security Framework as a north star to continuously evolve better operational capabilities. Please stop spending money just on point products during crisis and focus on understanding, managing and mitigating your systemic risk as a regular part of doing business. While this is turning into a board room concern, the practitioners among us may have to lead the way.