Managing Risk in the Modern World – Focus on What You Can Change and Affect, and Then Deal With What Nature and the Universe Send Your Way.
A Walk Through Logan
I boarded a plane in Boston on a recent business trip, and my trip to and through the airport made me realize a few important facts about security, from the parking lot through screening and even with respect to the signs around the airport and what’s being carried on the television sets in the waiting areas. But more on that in a bit.
Complexity is the Enemy
The first principle I think is important to convey is that complexity and scale are inherent in many of the systems we build, and they carry with them risk that grows with size, complexity and scope. In fact, many systems grow to such an extent that they rapidly outstrip the initial design considerations, as is evidenced by obvious examples like Y2K and the need for IPv6.
The fact that we have constructs like the Internet that can aggregate information as never before and open up a world of application potential for increasing value and for increasing the richness of our lives is a wonderful thing. The potential of the Internet and all we’ve built on it seems to be expanding “up and to the right,” and possibly reaching towards a singularity of some sort in the distant future – although I’ll leave further speculation on that to the techno-optimists.
We need to remember that the Internet has also reached a size that makes it critical to understand complexity and to keep in mind that complexity itself is often the enemy of security.
Securing a Legacy Infrastructure
Imagine if you had to secure an airport with two gates and about 200 passengers a day, servicing at most three cities with direct flights. That would be a fairly simple task…but now imagine that airport growing. It adds gates and terminals and parking and new destinations and new services, including cargo services; and the highways servicing it expand; and the rail network and subway begin to connect to it. The task of securing fairly linear growth in any of these dimensions would mean simply doing more of the same…but if you had four people securing your airport on day one as a regional hub, could you continue to linearly expand security measures as the airport grows into a vital part of the national and international infrastructures?
The obvious answer is no, and the impact of airports in particular is seen on cities as the Economist has shown: cities that build airports miles away wind up stretching and building in a new direction. The city expands to make the airport more central to the emerging and evolving city.
I remember taking the train across the United States in 2002, and it was amazing to see how towns and cities obviously used to face the rails and now faced the new, higher speed road networks and air hubs. Why? Because the expansion of potential that these new infrastructures introduce pulls Humans (who are fundamentally economic creatures) for good and for ill.
New potential and growth and new opportunities for wealth and development pull the bad with the good, and the new structures frequently challenge our accumulated security and safety wisdom as well as increasing both the likelihood of an incident and the damage an incident can cause while also making it easier for criminals and vandals to do bad things.
Bringing it Back to Technology
In customer meeting after customer meeting, with technologists and analysts and other rogues, I am constantly asked about disruptive technologies: will The Cloud (as if there were just one) change everything? What about Smart Phones and Tablets? Has Cybercrime reached crisis levels?
The answer to most of these things is “this too shall pass.” Living in the moment, we have missions that are quite clear, and for security folks this means reduce risk. This means adapt and become more efficient, deal with change as a state in itself.
To do this, we need to employ levers: we need to make our people more effective at executing policy and measuring what is happening (I am a strong believer that if you can’t measure a thing, you can’t really manage it). Employing automation in particular is a necessity, but it’s also dangerous. It requires an understanding of how automation can be exploited and how an intelligent opponent will seek to exploit processes and levers to their own advantage.
To get there requires building experience and wisdom and, in short, doing a little GRC to get things moving.
Why Governance and Compliance Matter (and washing your hands)
The promise of GRC is that we can actually build simpler systems while exploiting advantages and benefits from new technologies. We want to build efficiently and not just linearly scale yesterday’s solutions into the future.
So let’s use an analogy and move on to an operationalized (i.e. descriptive) definition.
If you go into a restaurant, you will see signs in the bathrooms in most countries (or at least, I hope you will!): something to the effect that employees must wash hands before returning to work. This is a simple instance of a policy, and the way it is implemented with signs, education, tools and the like, is really a form of governance. The compliance part is a little weak since there aren’t many checks to make sure that employees actually wash their hands, but there are even auditors in some places in the form of health inspectors who investigate employee behavior in restaurants.
You can imagine a health outbreak sweeping through a city or state or province, with people getting sick in public restaurants. What would the reaction be? Probably some form of legislation that would require better governance or compliance checking to reduce risk. In fact, this is exactly what happened in medicine with the advent of germ theory: hand washing got taken a lot more seriously to reduce risk.
In a sense, risk reduction became the guiding principle, although I would imagine in the medical example that in the early days it took a lot of fines, penalties, rules, governance overhaul and disciplinary actions to enforce. Sound familiar?
Here is a very simple definition for GRC and then see the security relevance of this:
• First, we want to build systems that can take policy and carry it out. That sounds simple, but if you take a simple policy like “PII data should be handled only by approved employees,” it’s actually very difficult to build an infrastructure that can accept that policy in a simple, predictable, repeatable way. Before we go too deep here, let’s accept that if we can do this, we will have done a lot to improve the Governance, and that’s the “G.”
• Next, we want the infrastructure to tell us how it is behaving with respect to our policies. In a sense, that’s compliance, or the “C.” In a sense this is the most important thing to do and do right: like a doctor slicing into a patient to perform surgery, the feedback loops and instrumentation of vitals are really important before blindly cutting.
• Finally, we have the “R” for risk; and you’ll notice I left this for last. That’s because right now we are really focusing on the “C” in GRC and slightly more on the “G” in more mature shops. Ideally, we want the focus to be on “R”: we should all be risk managers, and not widget managers. I want GRC to be more like “gRc” than it is today.
The last point here is crucial. If we can get to a point where we have a lot of the “G” and the “C” done in repeatable and predictable and reliable ways that require little effort, resources or energy…we will have naturally automated a lot, become much more efficient, and we will have by necessity reduced complexity.
Security, Complexity and Risk
Security is a much abused term: we sometimes mean comfort or safety, we sometimes mean a thing you “buy” in a 1u rack-mountable appliance, we sometimes mean a security guard and we sometimes mean a quality in a system. It’s that last one that I care most about in this context. GRC done right naturally takes security to the next level.
Things Still Go Wrong
I was reminded sadly as I waited for my plane, that things still go wrong despite the very best of planning. An example would be the recent earthquake and tsunami that hit Japan, one of the most well-planned and managed societies on Earth. The orderliness and degree of safety inherent in daily life in Japan is evident…and even here a third disaster is brewing despite the very best planning and contingencies: the Fukushima Daiichi nuclear plant is now at a crisis point.
This is risk too, and as we know from the Black Swan (the book, not the film), as Human beings it’s very hard to predict when discontinuities will occur but in hindsight they seem inevitable.
The Moral of the Story
Be a risk manager – it’s pretty straightforward. That means fight for simplicity and leverage, and don’t just prepare or brace for change. Use automation aggressively and carefully, and most of all build the wisdom of your people, your processes and your organizations on a progressive maturity curve.
|Read Sam’s Other Featured Columns Here|
Remember also that disasters sometimes happen in spite of the very best planning, and that the real character of a person or a country or a nation is actually shown in moments where they deal with the unforeseeable and that for which there are few plans. Focus on what you can change and affect, and then deal with what nature and the Universe send your way.
Oh, and don’t forget to wash your hands. It’s been pretty good advice for a long time now.
Read More in SecurityWeek’s Risk Management Section