Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

​Keeping Up With Changing Technology by Reducing Complexity

Home
Industry Insights
​Keeping Up With Changing Technology by Reducing Complexity

Blog Article Published: 11/15/2019

By John DiMaria; CSSBB, HISP, MHISP, AMBCI, CERP, CSA Research Fellow, Assurance Investigatory Fellow, Cloud Security Alliance

Fox News reported that in answer to the previous Boeing 737 accidents, the Federal safety officials say, “Boeing should consider how cockpit confusion can slow the response of pilots who are dealing with the kind of problem that likely caused two airliners to crash in the past year."

"They suggest that Boeing underestimated the time it takes for pilots to diagnose and react when they are being bombarded by multiple, cascading warning alerts."

Think about it; they were bombarded by multiple, cascading warning alerts that taxed their ability to respond in a timely fashion. There were two issues there:

  1. Too much complexity was built into the system
  2. They underestimated the time it takes to diagnose and react.

The more complex systems become, the less secure they become, even though security technologies improve.

While there's nothing wrong with improving technology, we always need to consider the human element since leveraging multiple systems can create a fragmented environment. Underlying the current security failings is a critical, under appreciated problem -- fragmentation.

Root Cause of Cost Increase & Poor Data Governance

Fragmentation is at the heart of the ineffectiveness of our efforts to continue to improve. Fragmentation happens when we focus on individual parts without adequately appreciating their relation to the evolving whole. This unbalance is one of the root causes of the more obvious security issues of continued cost increases, poor data governance, and inadequate planning. Not addressing this problem is essential because fragmentation leads to well-intentioned actions that sometimes have unintended consequences that often make things worse.

Unintended consequences of fragmentation:

Inefficiency

Narrowly focused programs and services is an excellent strategy for reducing the security budget, but it is not a strategy for efficiently implementing an effective holistic information/cybersecurity system. Efficient strategic planning should analyze and prioritize based on a holistic analysis of risk. This analysis should include all applicable elements of people, process and technology. It should hone in on the critical scope and then implement the applicable controls that are justified based on that risk assessment.

Ineffectiveness

It is no fluke that technologically has advanced, yet security breaches continue to grow exponentially. Risk Based Securities mid-year report noted that 2019 is on track to be the "worst year on record" for breach activity. Spending more on the parts has not improved the whole. Today many of the efforts toward improving security are directed at narrow programs with insufficient attention to the larger scope they are trying to affect. Many times scope is the problem because the scope is not "fit for purpose." The lack of an integrative way of addressing security and implementing proper controls only addresses the short-term problems and may keep costs down (for the time being) but ignores the greater objective of addressing the total system within the context of the organization.

Commoditization

I was on a website of an organization that was claiming "X Security Controls will stop 85% of Cyber Attacks". Not "address," not "help mitigate" but STOP! Seriously? Further, if you implement X more of the controls, you'll prevent 97% of attacks.

Treating security as a commodity can unintentionally deemphasize the seriousness and real scope of the issue. Especially when addressing cloud security, that can be a perilous road to go down. The cloud is a dynamic environment where things are always changing, especially security threats. You have to first understand what needs to be protected and from what. Risk assessment is a real-time living process and the controls change as the environment changes. Cybersecurity is not a science; at least not yet.

Some advertised solutions focus on delivering their well-intentioned services without consideration of their effect on the whole system or the reality that scope and specific SLA's that change the way you approach cybersecurity strategy. They also ignore how many and what controls need to be put in place. The true urgency of cybersecurity is reduced when it is treated as a commodity. Conversely, other solutions take the approach that the more complexity, the better.

How can we start being a part of the solution?

The CSA Cloud Control Matrix (CCM), The Consensus Assessments Initiative Questionnaire (CAIQ) and the CSA STAR Program come together as an integrated approach that helps companies understand the fundamental problem of fragmentation and how to reduce it. And the first step towards reducing fragmentation, is simply reducing complexity. Viewing security as an evolving integrated system instead of only as fragmented parts or small insignificant scopes that are not fit for purpose, can help our industry to feel hope where now there is skepticism. Transparency, trust and information sharing instead of detachment and isolation. Professional and corporate shared responsibility instead of narrow self-interest.

Here is my challenge...

Contact us for a detailed conversation if you are so inclined. We would love to hear from you. [email protected]


About the Author

John DiMaria is the Assurance Investigatory Fellow for the Cloud Security Alliance. He has 30 years of successful experience in Standards and management System Development, including Information Systems, Business Continuity, and Quality. John was one of the innovators and co-founders of the CSA STAR program for cloud providers, a contributing author of the American Bar Association's Cybersecurity Handbook, a working group member, and a key contributor to the NIST Cybersecurity Framework. He currently manages all facets of the CSA STAR Program which includes security, privacy, continuous monitoring and development of new solutions.

Compliance

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
How to Set Your Small Privacy Team Up for Success

Published: 04/17/2024

How to Audit Your Outdated Security Processes

Published: 04/16/2024

Cloud Relationships: Getting to Grips With the ‘Vendor of My Vendor’

Published: 04/15/2024

Evaluate the Security of Your Cloud Service Provider with the CSA STAR Registry

Published: 04/13/2024