The Force Multiplier in Cybersecurity

I think there should be sufficient consideration and care in an organization, when it comes to making edicts, or enacting policy changes, which will substantially affect large portions of the organization and its stakeholders (i.e., clients, partners, suppliers, investors). This generates what I like to refer to as a?Force Multiplier, as the effort for implementation and use, increases and expands throughout the affected ecosystem. This is true for most aspects of an organization, but it is certainly present in cybersecurity.?

Those involved with cybersecurity (or those who should be :-) endure a barrage of information regarding concerns, issues, and risks, which they are expected to effectively manage. There are the typical ones, such as announced vulnerabilities in software that their organization utilizes. These items typically come along with reasoned assessments, by arguably competent organizations. Such vulnerability announcements and ratings, typically form the starting point for your own teams’ assessment of your own respective risk. This in turn will determine for your group, what the appropriate action should be, and in what timeframe the action should be undertaken. However, there are other desired actions such as the introduction of an additional security control, where the reasons may not be as clear cut for the practitioners.

In fact, sometimes, even a simple statement from a high-ranking executive, can drive a tremendous level of work in response, the nature of which may or may not necessarily be warranted. A simple statement, such as saying “make sure project ‘galaxy’ is ‘fully’ secure” from say an executive VP, could drive tremendous effort based on how various levels of leadership interpret “the ask”. Please don’t get me wrong, all or portions of what is ultimately done may be warranted. However, there does exist the potential for efforts to go “overboard”, to provide 142% satisfaction to the organization’s leadership. Another potential situation in this realm, is when new policies are enacted without a sound basis. Various aspects should be analyzed such as risk, outcome, and the business impact. These scenarios can drive additional effort and cost across the organization that may not be warranted. The?Cybersecurity Response, Force Multiplier Bonus. What are your thoughts about the potential for such situations in your own organization??

When it comes to medium or large organizations, there are multiple layers of cybersecurity, from the C-level, through midlevel organizations, and on down to the actual solution developers, practitioners, or administrators (i.e., the SysAdmin for a Linux server). Each layer in the organization may have its own perspective on a particular concern, issue, or risk, such as the reaction to a specific, announced vulnerability or required change. Where the situation can get more contentious and confusing, is when policy changes are enacted, or when cybersecurity mandates are given at higher levels, which are not demonstrably based on formal analysis. This highlights the importance of collaboration, transparency and concise, supporting documentation.?

I think it is important for an organization to collaborate with stakeholders during the process of evaluating the risk, impact, and outcome, of potential changes in cybersecurity policy. We have often found that things run smoother and overall security posture improves, when people understand the basis for a particular requirement, and the requirement is founded on sound business reasoning. For example, people may not be happy about creating passwords that require mixed characters and a length of 15. However, they usually understand the need, and logical analysis of the need can be provided. An organization may not be able to share all the specific details related to a particular change with every employee and every user, but sufficient transparency should be present to provide the reasoning and analysis that supports the change. The concise documentation supporting the change should also?go beyond the obvious. Sure, a second factor added for authentication (2FA), is more secure, but article why it is being required. All factors need to be considered to determine if additional controls are reasonable and appropriate for a particular area (i.e., an air-gapped system within a restricted access lab).

Modern cybersecurity is a complex arena and careful consideration is required when it comes to policy and controls. Be aware of the?Force Multiplier?effect, and avoid the?Multiplier Bonus. In the public space (i.e., government) there has been a renaissance of sorts surrounding transparency and accountability. Such openness and accountability, reduces confusion, opens dialogues, and ultimately improves the overall service and interaction (i.e., law enforcement) [1-3]. Organizational collaboration, transparency, and accountability in cybersecurity, can also drive better outcomes related to cost, resources, and more optimal privacy and security for the organization.??

Disclaimer:

Boring Disclaimer: These thoughts are my own and I am not posting as a representative of any company. Your mileage may vary. Objects in mirrors and binoculars may be scarier than they appear (or they might not). If this had been an actual emergency, you and I would likely be doing something more important.

References

[1] ESRI.com, “Promote Police Accountability: GIS for equitable policing ”, 2022

[2] USMayors.org, -?https://www.usmayors.org/issues/police-reform/transparency-and-accountability-to-reinforce-constitutional-policing/ , August 2020

[3] Reason.org,?https://reason.org/commentary/transparency-laws-improve-accountability-trust-in-law-enforcement/ , July 2021

[4] Image of Executive presenting: Photo?13209794 ???Aleksey Gorbatenkov ?|?Dreamstime.com