In a world where everything is changing, how should a CISO keep up? The big challenge in security, as in so many other fields right now, is uncertainty. How will a recession impact your business? When will people come back to the office? Will they come back? In your rush to support remote workers, did you build out reliable infrastructure that will stand the test of time, or did your organisation rush to make the online equivalent of a shanty town, with jury-rigged connectivity and rushed security controls?
Many businesses are taking stock of how much they can make use of the cloud. How this plays out depends on where you were along the cloud adoption spectrum before all this happened. Some organisations were already “all in” on cloud data centres, while others suddenly realised their business runs on critical physical equipment that hasn’t been operated remotely before, wasn’t ready, and in some cases, can’t work remotely. Legacy data processing apps are one thing, but processes based on specialised equipment like air traffic control or manufacturing are quite another. At the far extreme, there are some activities like sports, or meat processing, or parts of healthcare where we still haven’t figured out a way to remove the physical, in-person requirement for people. A great many organisations are a hybrid of more than one of these, with some online business easily moved to remote work, but some others lagging.
This adds up to an environment that is changing rapidly, and not towards any single best pattern. In much the same way that all politics is local, and all health care is personal, every organisation’s best IT and cybersecurity response to the pandemic is unique. This creates enormous stress on the CISO’s and CIO’s organisations, since you can’t simply copy others. Nobody really likes to think of themselves as a follower, but when we really are forced to make all our decisions ourselves -- if we’re honest-- we rapidly learn that decision making is highly stressful. It’s easy to get lost in a sea of detail.
Decision making would be hard enough if we had already arrived at the “new normal,” and all we had to do was reconcile the work-from-home stresses on infrastructure with the push to remote access and the cloud. (Oh, and all that while still refining our strategy for 5G, and IoT, and privacy regulations.) The trouble is, we already know we’re not at the new normal yet – global leaders all agree that things are going to change some more, but nobody knows exactly when, or how much, or what the final “new normal” will look like.
So, it’s not enough to adapt to the new reality – we have to go further, we have to make moves when we know the future will be highly dynamic and will shift faster than we can anticipate. Planning for uncertainty is nothing new to a CISO. We all appreciate the value in quantified risk assessments about uncertain things like when the next breach will succeed. We can accept, or mitigate, or transfer those sorts of risks. But we are now at a higher level, because the risk is not just about whether a given precious resource will be breached or infected – the risk is now at the level where the rules of the game are shifting. Even insurance companies, who specialise in quantified risk, don’t have good ways to handle systemic, coordinated, global changes in how we all operate.
Is the situation hopeless? Far from it. Humans are among the most resilient creatures that ever evolved, due to our adaptability. (There is a theory of human origins that suggests we arose not because of one unique environmental pressure, but because of a significant increase in the variability of planet-wide temperature, leading to survival of the most adaptable, not the near-term fittest.) What we need next is digital resilience for our infrastructures – not just the right architecture, but the right ability to change as situations change.
Investing in gathering knowledge
Where does digital resilience come from? More than anything, it comes from understanding – knowing your organisation’s unique characteristics (like how much it runs on laptops versus muscle power), knowing how your business flows get the job done, and knowing the underpinnings your business relies on. This sounds simple, but practice shows that it isn’t. Most organisations have holes in what they know about their own internal operations. These gaps lead directly to breaches and to an inability to adapt in a changing world.
This is why every CISO, even in a stressful time like this, has to take time away from firefighting to invest in gathering knowledge. At a business level, how are orders processed, and what’s involved in the whole customer journey? At a technical level, what assets support all this, how are they connected, and how would you cope if you had to swap out any piece (due to an outage, a breach, or nowadays, due to a rush to push as much as possible outside the walls of the organisation)? Capturing business process is still primarily a human-driven activity, but mapping infrastructure – on-premise, remote, and cloud – can be automated. It can help you understand the map on which your ever-changing, organic organisation is surviving and thriving.
Too much attention in cybersecurity is paid to detecting the bad guys as they attack, or worse, once they are already inside your network. This hunting is the sexy part of the work, and don’t get me wrong, it’s always necessary. But if only invest energy there, we are like firefighters who are always rushing to put out fires, but who cannot convince anyone to build safer buildings that aren’t death traps. Digital resilience comes from planning ahead – knowing how your business operates, and how your technical infrastructure achieves those ends. City planners who invest only in firefighting eventually reach their Chicago Fire moment, and realise only too late that they have to change their practices.
Dr Mike Lloyd, CTO, RedSeal