When I was a kid, twern’t no Netflix or even DVDs. If you wanted to watch something, you had 4 stations on the TV (ABC, CBS, NBC and PBS) or you could go to the cinema. I even remember when they built the first multiplex in Mattoon: it had 3 screens all under one roof. So, yeah… I’m kinda old.
One of the great joys for a kid at that time was Saturday mornings, because that was the day you got to watch cartoons. It was the only day, and there were some great ones. But some of my favorites were the old Looney Tunes, which were certainly not originally intended for kids.
Today, I was looking at some example security architecture and risk assessments, and one of them popped in my head. There was a Bugs Bunny short called “Hare We Go” that starts out with Christopher Columbus arguing with the King of Spain about the shape of the world:
Columbus: “Round!”
King: “Flat.”
Columbus: “Round!”
King: “Flat.”
Columbus: “Round!”
King: “Flaaat.”
Columbus: “Round!”
So, basically, it was a lot like a conversation between security and our primary customers in the business. This went on a bit until it seemed more words were necessary:
King: “The world…she’s flat.”
Columbus: “The world, she’s round.”
King: “She’s flat.”
Columbus: “Look, King, she’s round—like the apple.”
King: “She’s flat, like the pancake.”
Columbus then goes into a bit of a rant, finishing with, “The world…she’s round—like my head,” vigorously pointing to his head.
At which point, in classic cartoon style, a big hammer comes out, whacks Columbus on the head, and you hear the King say, “She’s flat, like your head.” And poor old Chris is booted out of the building on his bum.
I haven’t seen it in years, but I had to google it to jog my memory, and it’s still 7 minutes that makes me laugh.
One of the traits that seems pretty prevalent in security professionals is a bit of a stubborn streak. And, most of the time, this serves us in good stead. We’re not always as articulate as we should be when engaging with our customers (see above), but the majority of the time, we do mean well and we truly are trying to help.
And two things that must go hand-in-hand like beer and peanuts are risk assessments and security architecture. However, there seems to be a bit of a “flat-world” crisis running under the surface the like of which hasn’t been seen since the late 1490s.
Even if you follow a framework that gives you some kind of risk taxonomy, like VERIS (one of my personal favorites), PESTLE (in all of its various guises), the CSA CCM Risk Matrix…
…pick one, it really doesn’t matter, because the problem is all the same.
And that problem is how to focus and prioritize those risks when you’re doing a risk assessment.
What tends to happen is that you end up with long, complicated risk scenarios like something out of The Butterfly Effect:
If an elephant poops on the savannah, a tree will grow, and when that tree grows and is chopped down, it will make wood to build houses, and when board 123X-23 is installed in the data center during a renovation, Bob, the very same Builder we all know, will get a splinter. However, the splitter will strike an artery, causing Bob to be rushed to a nearby hospital, currently overwhelmed dealing with a global pandemic, and he will have to wait outside for 2 hours—at which he will not only drift off into the eternal sleep, but his family will sue the organization for $50 gazillion, revenues will be down due to the global slump in demand thanks to the pandemic, and the organization will go bankrupt.
Why yes, Virginia, I am exaggerating—but only by a little bit.
I’ve seen some crazy-arse risk scenarios like these in some of the risk assessments I’ve reviewed, and they’re just flat-out dangerous. These “flat world” risk assessments where everything is rolled into one scenario conflate a bunch of different issues into a heart-stopping narrative…
…that makes it seem to be truly unique—when about 99% of it is the same type of thing that would potentially happen in response to a bunch of different scenarios.
The chimera of complexity rears her fire-breathing head not only in our architecture efforts but our risk assessments too. And, for the record, I believe that the single biggest reason for both the flat-world risk assessment and the flat-world architecture are the same:
People don’t really understand what architecture is, and therefore they don’t know the difference between what is plausible and what isn’t. And when you can’t do that, you’ve no hope in violently encapsulating complexity as Principle 5 of The Agile Security System™ commands, because you’re so far in the middle of it, you don’t know where to start.
However…if you have a sensible grounding in a straightforward view of the world – yours and the world of your customer – then you can send that complexity chimera packing as fast as ol’ Chris was booted out of the King’s audience chamber above—without getting a flat head like he did.
Once you have this view, it’s about as easy as plugging in the color-coded cables into the back of your TV, allowing you to focus your precious analysis cycles where they’re really going to do some good—
Rather than effectively having to re-evaluate the same 10 risk events and impacts 55 times just because someone used different words to describe the sequence in which they might happen.
Sometimes this sequence is important, for sure. But getting to the essence is what’s going to give you leverage, clarity and, ultimately, speed and confidence in your risk assessments and reports to your business customers.
If you’d like to learn how to cut through the crap of the complex risk scenario, then you might want to make sure you’re going to get the May edition of the Archistry print newsletter, Security Sanity™, in which I’ll be talking all about how you can avoid the “Johnny tripped over his shoelace, so we’re all going to go out of business tomorrow” types of nonsense, and build a reusable library of risk scenarios you’ll be able to leverage on a daily basis if you need to.
To make sure you’re subscribed before the deadline, just go here:
After all, the world needs better security, so it’s up to us to build better models. If we don’t do it, who will?
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
