Keeping Up With Changing Technology by Reducing Complexity
Blog Article Published: 11/15/2019
By John DiMaria; CSSBB, HISP, MHISP, AMBCI, CERP, CSA Research Fellow, Assurance Investigatory Fellow, Cloud Security Alliance
Fox News reported that in answer to the previous Boeing 737 accidents, the Federal safety officials say, “Boeing should consider how cockpit confusion can slow the response of pilots who are dealing with the kind of problem that likely caused two airliners to crash in the past year."
"They suggest that Boeing underestimated the time it takes for pilots to diagnose and react when they are being bombarded by multiple, cascading warning alerts."
Think about it; they were bombarded by multiple, cascading warning alerts that taxed their ability to respond in a timely fashion. There were two issues there:
- Too much complexity was built into the system
- They underestimated the time it takes to diagnose and react.
The more complex systems become, the less secure they become, even though security technologies improve.
While there's nothing wrong with improving technology, we always need to consider the human element since leveraging multiple systems can create a fragmented environment. Underlying the current security failings is a critical, under appreciated problem -- fragmentation.
Root Cause of Cost Increase & Poor Data Governance
Fragmentation is at the heart of the ineffectiveness of our efforts to continue to improve. Fragmentation happens when we focus on individual parts without adequately appreciating their relation to the evolving whole. This unbalance is one of the root causes of the more obvious security issues of continued cost increases, poor data governance, and inadequate planning. Not addressing this problem is essential because fragmentation leads to well-intentioned actions that sometimes have unintended consequences that often make things worse.
Unintended consequences of fragmentation:
Narrowly focused programs and services is an excellent strategy for reducing the security budget, but it is not a strategy for efficiently implementing an effective holistic information/cybersecurity system. Efficient strategic planning should analyze and prioritize based on a holistic analysis of risk. This analysis should include all applicable elements of people, process and technology. It should hone in on the critical scope and then implement the applicable controls that are justified based on that risk assessment.
It is no fluke that technologically has advanced, yet security breaches continue to grow exponentially. Risk Based Securities mid-year report noted that 2019 is on track to be the "worst year on record" for breach activity. Spending more on the parts has not improved the whole. Today many of the efforts toward improving security are directed at narrow programs with insufficient attention to the larger scope they are trying to affect. Many times scope is the problem because the scope is not "fit for purpose." The lack of an integrative way of addressing security and implementing proper controls only addresses the short-term problems and may keep costs down (for the time being) but ignores the greater objective of addressing the total system within the context of the organization.
I was on a website of an organization that was claiming "X Security Controls will stop 85% of Cyber Attacks". Not "address," not "help mitigate" but STOP! Seriously? Further, if you implement X more of the controls, you'll prevent 97% of attacks.
Treating security as a commodity can unintentionally deemphasize the seriousness and real scope of the issue. Especially when addressing cloud security, that can be a perilous road to go down. The cloud is a dynamic environment where things are always changing, especially security threats. You have to first understand what needs to be protected and from what. Risk assessment is a real-time living process and the controls change as the environment changes. Cybersecurity is not a science; at least not yet.
Some advertised solutions focus on delivering their well-intentioned services without consideration of their effect on the whole system or the reality that scope and specific SLA's that change the way you approach cybersecurity strategy. They also ignore how many and what controls need to be put in place. The true urgency of cybersecurity is reduced when it is treated as a commodity. Conversely, other solutions take the approach that the more complexity, the better.
How can we start being a part of the solution?
The CSA Cloud Control Matrix (CCM), The Consensus Assessments Initiative Questionnaire (CAIQ) and the CSA STAR Program come together as an integrated approach that helps companies understand the fundamental problem of fragmentation and how to reduce it. And the first step towards reducing fragmentation, is simply reducing complexity. Viewing security as an evolving integrated system instead of only as fragmented parts or small insignificant scopes that are not fit for purpose, can help our industry to feel hope where now there is skepticism. Transparency, trust and information sharing instead of detachment and isolation. Professional and corporate shared responsibility instead of narrow self-interest.
Here is my challenge...
- Listen to my Podcast interview with Doctor Ron Ross; Senior Fellow at NIST "The growing complexity around cybersecurity and evolving technology."
- Take a deep dive into the STAR Program and the STAR Registry and then take a self-assessment using the CAIQ.
Contact us for a detailed conversation if you are so inclined. We would love to hear from you. [email protected]
About the Author
John DiMaria is the Assurance Investigatory Fellow for the Cloud Security Alliance. He has 30 years of successful experience in Standards and management System Development, including Information Systems, Business Continuity, and Quality. John was one of the innovators and co-founders of the CSA STAR program for cloud providers, a contributing author of the American Bar Association's Cybersecurity Handbook, a working group member, and a key contributor to the NIST Cybersecurity Framework. He currently manages all facets of the CSA STAR Program which includes security, privacy, continuous monitoring and development of new solutions.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.