IT and security teams must learn how to navigate to uncertain environments in order to build lasting resilience, according to Jordan Schroeder, deputy MD & managing CISO at Hefestis, speaking during a session at the virtual Digital Transformation EXPO. This concept is especially relevant given the current context: “2020 could easily be called the year of uncertainty,” he noted.
This requires a significant mindset shift within the industry: “Uncertainty can be particularly frustrating because we rely on some sense of certainty to achieve our goals. But we can achieve our goals without needing certainty, and that’s how we build resilience,” observed Schroeder.
The first stage is to abandon the notion of shoulds – a preconception of what is supposed to happen. Security teams should instead base their operations around dealing with new realities, working out the small iterative steps in technologies and practices required.
Schroeder also noted that when new technology is exposed to people, this creates a situation of ‘perfect uncertainty’, due to the unpredictability of human behaviors. It is impossible to even predict what effect controls that are put in place in these technologies will have; for example, people may find ways to get round them or find a way to use controls to do what they want it to do.
How to tackle uncertainties is something that’s become commonplace in other contexts. Schroeder gave the example of children’s birthday parties: instead of trying to plan an outcome, parents instead will put in place a range of ideas that might work and watch how the children interact with them. Those that lead to good outcomes and behaviors will then be encouraged, whereas things that are not successful will be removed and discouraged.
“Resilience is moving forward without being able to map what success is going to look like and letting go of your preconceptions,” Schroeder added.
He applied this principle to IT, and the common scenario of server patching, outlining that admins often delay the introduction of patches when they are available because they are afraid that they may go wrong and subsequently be blamed for the failure by management. Instead of assigning blame when something goes wrong, an approach of testing and learning what does and doesn’t work should become the norm.
In the second part of the session, Schroeder was joined by Lisa Forte, partner at Red Goat Cyber Security, to discuss this concept of resilience further. They firstly highlighted the Maersk NotPetya ransomware attack of 2017, and pondered whether its response should be regarded as the Gold standard for other organizations to follow. While the company was wholly unprepared for the attack, its “hyper-transparency” in releasing the details of the incident and learning how to protect themselves better, should be applauded. Schroeder commented: “They had an interconnectedness in their networks and systems that they didn’t predict, and it's huge to know that they had this vulnerability.”
Forte added: “You proceed with a course of action, but you have to have the confidence and the flexibility to say this isn’t working, we’ve got to quickly think on our feet, and we’ve got to change it.”
They went on to analyze how organizations should handle the issue of insider threats. Rather than the blaming ‘bad apples’ as is often the case, companies should take on a much more nuanced overview of situation. Schroeder noted: “For a lot of people, there errors are a result of something else within an organization – from management, their environment, the tasks they’re doing, their supervisors, the culture of the company – all of these things can contribute to the actions of the end user.”
Forte added: “If you’ve got an insider threat that’s manifested, it’s the end symptom of a chronic disease that’s in your organization.”
Creating a culture of flagging suspicious behaviors amongst staff within organizations is therefore a critical aspect of preventing insider threats. However, this is rarely the case. Forte highlighted research she worked on last year showed that there would invariably be no reporting of senior members of staff, regardless of how suspicious their behavior is.
To address this issue, an environment in which all staff are empowered to raise issues, regardless of their place within a company’s hierarchy. Schroeder said for this to happen “the senior management needs to very explicit that this is OK, that they are open to that feedback.”