Recently, I was having a discussion with a customer we’re working with to restructure their IT Security department and adopt SABSA end to end. Doing this will more effectively manage their cybersecurity risks and keep them directly focused on supporting business execution, not just doing security for security’s sake.
The Problem
One of the problems they have is that the recommendations of the engineers doing the root cause analysis (RCA) after a cybersecurity incident or suspected data breach are directly implemented to prevent the same incident from happening again.
I know what you may be thinking: Andrew, why would this be a problem?
It’s a problem because, as good as they are, the engineers on the ground in the security operations teams aren’t in the right place to see the big picture. They see the specifics of exactly what happened, so those are the recommendations they make: solve the immediate problem.
The Impact
In the worst case, this ends up being an endless game of Whack-a-Mole because they end up mostly treating the specific symptoms rather than being able to identify what the right overall solution may be.
In the best case, the suggested mitigations may be the right ones, but they’re made without any consideration of the overall systemic consequences of taking that action. Remember Newton’s Third Law?
For every action there is an equal and opposite reaction.
In the case of risk management, as in physics, not understanding this axiom can have either devastating consequences or leave potential opportunities sitting on the table.
If I’m worried about the band complaining about not getting their fair share of door ticket sales because people sneaking in the back door and I need to make it right, I might do something to prevent that from happening. If I’m really short-sighted, I might do something stupid like chain the fire doors shut. This works great right to the point there’s a fire or other emergency and people die because I was trying to manage the risk of people entering the club without counting towards paying the band.
Action: apply control to mitigate one risk
Reaction: dramatically increase the risk exposure in another, unrelated area of the business
Potential Results: injuries, death and going out of business
Now you may be thinking: ok, Mr. Smartypants, so what’s the relationship to RCA and why does it matter?
The Right Way
In the above example, the problem isn’t the quality of the RCA or the people who are doing it. They’re doing exactly the right things, and they are – without a doubt – the best people to be doing it because they’re the ones with the right access to the details that matter.
The problem is that there’s no oversight, guidance and awareness of what the consequences of the recommendations might be to the rest of the business or security environment. Who’s best positioned to figure that out?
Right. The Security Architect.
One of my favorite examples of how this works is this scene from Rush, the 2013 Ron Howard film about the ’70s rivalry between drivers James Hunt and Niki Lauda:
In the clip, the problem (incident) they’re trying to correct is that the car is too slow. The root cause is ultimately that the car is too heavy.
“We’ve tried everything,” said the mechanics.
“Are you using magnesium parts?” asks Lauda. “When you’ve done that, you have to look at the aerodynamics. Front and rear wing.”
With the bigger-picture view, Lauda makes the right suggestions that ultimately shave 2 seconds off the performance of the car, not to mention over 20kg.
Who makes the cybersecurity control decisions in your organization? Is it the mechanics or the drivers?
Are you confident of the results? Do you have your priorities straight?
While computers, CAD and advances in mechanical engineering have changed the science of Formula 1 today, there are a lot of parallels between both business and cybersecurity risk management with the approach of 1976 depicted in the film.
The truth is, we’re not very sophisticated, and more often than not, we don’t see the bigger picture of the consequences of the risk management decisions we make in one area on the rest of the organization.
Stronger passwords and auto-locking accounts = more lost productivity and passwords written on post-its
More stringent health and safety regulations = higher costs and slower task execution
More oversight, approvals and set procedures = slower execution, rule breaking and cooked books
Controls are necessary, but we need to understand the full implications of putting them in place because if we don’t, we may be endlessly solving the wrong problems because we don’t see the forest for the trees.
Let’s talk about how the results of RCA work in your organization so we can make sure you’re making the right decisions and have the right oversight to ensure those decisions enable successful business execution. Drop us an email, fill in the form below or give us a call today!
