Guest Post by Jack Whitsitt, TSA/DHS, Cyber Security Awareness and Outreach
I’ve seen people fly, I’ve seen birds fly, I’ve seen a horse fly, I’ve even seen a house fly, but I’ve never seen an organization fly. And, as silly as it might seem, this really does have significant implications for managing cyber risk – especially when we look incredulously at the many public compromises and wonder “why does it keep happening?”.
A good way of approaching that question is to look at where cyber risk management is “succeeding”. Succeeding? Yes! Cyber risk is, in fact, being managed – and quite well! If you doubt this, you might need to ask yourself important questions like “Which risks are being managed?” and, more importantly, “Which risks to *whom*?”
What I mean to say is that, while organizations can have an effect on the world around them, they can’t actually be seen or touched. They’re not tangible and they can’t…”fly”. Instead, they are the conceptual sum of the many varied decisions of individual people. These conceptual sums are inanimate; they cannot – and do not – feel risk. Instead, it is their executives, owners, employees, and customers who feel risk. Their soft squishy human hopes, dreams, passions, fears, biases, moods, and biochemistries ultimately drive organizational “risk tolerance” and we should never forget it. Here, it’s crucial to understand that people almost exclusively put risks to themselves ahead of all others (including an organization’s).
So, then, if the “collective” risks to individuals do trump all else, where do we look for ownership and resolution?
Well, some would say “users”, but do “users” (or “individual performers”) care more about meeting their boss’s expectations or saving the intangible organization from invisible adversaries and hidden costs without direction? Probably the former. Further, while “the bosses” who set these expectations might see that the cyber problem exists, their primary risks revolve around meeting their own senior leadership’s expectations as well.
Ok, but isn’t IT Security key to cyber risk management? Not really. IT Security, like any other group, must align themselves with their senior leaders’ and executives’ priorities. Without that alignment they hold no sway or effect.
People almost exclusively put risks to themselves ahead of all others (including an organization’s).
So, then, it’s on Executives. Senior leaders, what drives your risk appetites?
I ask because cyber risk management is a hard problem. Aren’t you safest if you follow best practices and “buy Cisco”? Ultimately, if you do and your organization gets compromised, what happens to you? Most likely very little – you did your best after all. Is it even in your best interest, then, to know cyber is a hard problem? If you’re aware that best practices have been failing like communism, aren’t you then obligated to come up with solutions of your own? Wow. No way. It’s best to believe the hype; best to buy Cisco; best to keep transferring the risk.
Intentional ignorance (or lack of “awareness”) isn’t just bliss, it also reduces risk to those people directing organizations and dictating the priorities of their human building blocks.
About Jack Whittsitt, TSA/DHS, Cyber Security Awareness and Outreach
Mr. Whitsitt brings a breadth of cyber security knowledge and thought leadership to any discussion. His early efforts, which have been cited in IEEE papers, thesis research, and other works included leading an open source development group in creating novel tools to respond to attacks, creating created new methods of correlating and visualizing large scale security information, and supporting large US government and civilian incident response teams looking at traditional IT networks. More recently, Whitsitt has been working in the areas of control systems (SCADA) security and national level risk management, partnership, and information sharing. In 2009 and 2010, he worked for Idaho National Lab as an early member of DHS’s national ICS-CERT team as a part of the DHS NCCIC responding to critical infrastructure incidents of national consequence. Currently, he is a federal employee supporting TSA in its capacity as the Sector Specific Agency (SSA) for transportation (including pipeline) security. In this role, he has been facilitating a national initiative for transportation implementing a reasoning framework for guiding strategic national cyber security policy within the sector and to provide organizations with national-level insights into their own individual risk management efforts.