I've been thinking about the shift in thinking that should be part of a conversation about cyber security.
It came down to one word: messy.
It’s fair to say we live in a world that is rather messy. Russell Ackoff defined "a mess" as, "interacting problems or issues that are not easy to appreciate as a whole." You are in a mess if you can't put any structure to the situation.
So, are most organisations dealing with an unstructured (messy) security situation?
Organisations are not closed systems. You can't measure everything because things change so quickly.
The Internet is a vexing source of "unknown unknowns". We depend on software that, if you look closer, is made up of piece parts whose source is ambiguous at best. It’s becoming a more complex workplace for most employees with no definite way for the employer to tell what's good or bad behaviour.
It is safe to say that when it comes right down to it, most organisations are probably dealing with very messy systems and the band-aid is falling off.
The growth in terms of volume, speed and diversity of data, devices and global (machine-mediate) threats is non-linear and we should think about the problems and solutions differently. For example:
- The correlation analysis that is used to flag a security incident or track an impending threat is still divorced of much needed cause-and-effect accuracy. Visit a security operations centre and you'll see plenty of false alerts and difficulty in prioritizing action.
- The tolerance we have to broken links is untenable. To make informed risk-based decisions we should bring together policies and regulations, cultural expectations, intelligence gathering outcomes and the lessons-learnt from incidents.
- We can't build "naive" systems anymore. They should be "street smart" out of the gate, with the engineering knowledge that intrusions will get through and data will leak.
Maybe now the shift in thinking is from securing an environment to anticipating changes and adapting to an ever changing security ecosyste.
Blog post by Walid Negm, Senior Director, Security Products & Offerings, Accenture