Semantics and Risk Management – Why Words Matter

I recently received an email from an old friend that reminded me that 20 years ago I earned my CISSP, the long-time gold standard for cybersecurity certifications. As a builder, defender, and leader, it’s frustrating to know I have the best knowledge, tools, and support of any time in my career but none of our adversaries must have certs or degrees or even nice things, and they still kick our collective butts every day. Why and how have we arrived at this point in history? We have global cyber warfare breaking out of the shadows and into public awareness, unrelenting cyber-attacks, and cybercrime along with the civilian analog to event fatigue, manifest in the general public’s indifference to ransomware, data breaches and identity theft. This really hasn’t gone according to plan yet for the good guys.

As I was writing this, I went back through one of my old textbooks from the era of my CISSP test to see how we used to characterize and measure risk. I found it difficult to nail down what the best minds of that time considered risk, they used it as a noun and a verb, and it was also a trigger for actions, but it wasn’t clear what RISK was. A few years after I passed the certification, the US Government codified cybersecurity “Risk” with the release of the Risk Management Framework. I’m not sure why, but to this day most people in IT and Cyber still struggle conceptually with Risk. Lots of books and frameworks and tools but ask 20 cyber professionals how to best assess it and how to use it to make decisions and you may get more than 20 answers. In the last five years, threat models have become more important to cyber professionals mainly because I believe they are more intuitive than risk from an operational perspective. Look at how in the game of cyber buzzword bingo, Mitre ATT&CK is everywhere because it gives us a common language and understanding to regain a modicum of control.

The National Institute of Standards and Technology (NIST) Risk management framework (RMF) was created to help provide guidelines to organizations to protect their information systems and data and effectively manage risk throughout a systems’ lifecycle. “Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector.” (from https://csrc.nist.gov/Projects/risk-management/about-rmf)

Commercial Cybersecurity is a whole other animal, and I will touch on that in a later blog. For right now, I am going to pick on the US Federal Government’s application of the RMF. When I read the definition above, it starts with “organizational risk”, yet RMF is always applied to individual systems (and for a standard, sadly the consistency in RMF is best found in its inconsistent application, within and across organizations). We try very hard to build new systems better than in the past but there always seems to be too many reasons why planning and execution end up drifting far apart. This disparity puts tremendous pressure on a cybersecurity team’s ability to manage cyber risk for the organization. Let me say this one more time for emphasis, the scope of Risk Management is organization wide, yet we always assess at the individual system level. I know, “how do you eat an elephant? One bite at a time”. Somehow, we think that with each new system, we might get it right and then we fall back into a vicious cycle of failing to meet or exceed the standard. And we thought Sisyphus struggled mightily? Ok, when does the elephant get reassembled to assess for organizational risk? If you don’t add all of it back together at some point your tactics never become strategic. Outcomes can be even worse when it is inconsistently applied. Somehow the “organizational risk management solution” expects miracles through technology and technology driven processes alone. Have you ever been in a meeting where the system owner chooses to accept risk out of ignorance so it doesn’t derail an arbitrary commitment date, alter schedule or cost profiles, or inhibit potential promotion opportunity? Risk takes many forms and sometimes its not the technology, it’s the people involved.

Well, here we are, billions of dollars invested in people, process and technology to get to the point where we have finally just had to shrug and “assume breach”. We even have oddly named the branch of cybersecurity assigned to corrective actions and mitigations, DFIR (Digital Forensics and Incident Response). This sounds oddly like DEFER, which is how we appear to be doing Risk Management as a community…as in “lets defer this till we have more time.” Inadvertently and unknowingly we have become really good at deferring or let me use official risk language, transferring risk as our legacy.

Why is this so hard? First, I think we are missing the opportunity to assess systemic risks first. Systemic Risk helps us better define the scale and scope of our “environments” which encompasses not only our mission and people, process and technologies, but how we interact with the world around us. Second, it comes down to the semantics of two words. They are the definitions of “Complicated” vs “Complex”.

We like to use the words interchangeably but in reality; they are very different in the context of systems. A system in this case can really be the sum of all the sub-systems within an organization (which could be a division, a department or an agency or civilian or defense or wait for it, something bigger yet, like maybe the “Internet” is the system). The exercise is more than the assessment of risk for a single systems’ view if in fact you are assessing for Organizational Risk. Risk management as we define and assess it works in complicated environments but generally fails in large, dynamic, complex ones. Why? Because we believe we can control the variables and we usually aren’t even aware of all the ones that actually effect/affect us. In cyber security today we are really kidding ourselves if we think we control all of the variables. We need to approach security from the mindset of Complexity instead of Complication.

Why does this matter? Most of our risk management controls are based on a premise that once we set them up, they will continue to work properly. There are many things that can cause that assumption to fail without introducing cyber bad actors and criminals. When we add them to the mix, well they are just the special chaos sauce we need to guarantee unrelenting cyber event tempo and failed risk management objectives.

I alluded to agile and DevSecOps earlier. I believe these modern practices can indirectly offer us a cleaner path towards Cyber Security and Organizational Risk Management success. I say this because of several of the fundamental principles of these practices, including the concept of observability, automated testing (and yes Continuous ATO can and should leverage the same automated testing infrastructure) infrastructure-as-code and immutable architectures (cattle vs pets). All these concepts/constructs will be instrumental in allowing the next generation of risk managers and security operators to apply cybersecurity best practices, tools, and people better than today. When combined with complex system thinking, they also enable data science and cyber security teams’ a better, cleaner view of data to make decisions from.

Organizational risk management success will come from acknowledging we can no longer use tools designed for controlling and predicting complicated systems behavior because complexity rules the day, and we are never going back.