A lot of people out there are talking about the direct impacts to themselves of the global mandatory and voluntary lockdowns enacted to control the spread of COVID-19. This continued spread would be the direct risk of unrestricted physical contact, and the impact, as we’ve seen, clearly has the ability to cause the ultimate impact of loss of life.
Most people, if they’re talking about systemic impact at all, are talking about it in the classic sense of markets, investments or securities. However, anyone who’s familiar with SABSA at all knows that one of the key benefits of a domain-based security architecture is the ability to both understand and predict the impacts of one domain should a risk materialize through the network of architectural dependencies based on the real governance relationships documented by your security architecture.
If we were to apply this to our current pandemic scenario, the direct risk to any individual, is that they come in contact with COVID-19 virus, and, as I talked about in an email a while back, those virus particles generally get through the body’s natural access control mechanisms through breathing them, touching our faces, eyes and nose or licking our fingers. If this risk materializes, then the person gets sick.
So, that’s step 1: direct risk (exposure); direct impact (contamination). The primary controls here are:
- avoiding situations of potential exposure, and
- if avoidance isn’t possible, applying a set of controls used to ensure the potential contamination doesn’t breach the body’s access controls, namely: wear a mask and eye covering, don’t touch your face, and thoroughly wash any potentially contaminated surfaces.
The severity of the impact determines how this sickness impacts their overall quality of life (step 2). Even if the severity of the impact is minor, they are now still capable of transmitting the virus to other people (our original risk), so the controls at the disposal of the infected individual are really: choosing to self-isolate, wearing a mask and/or covering mouth and nose when coughing or sneezing, washing your hands regularly and attempting to boost the immune system.
However, in the case where the infected individual chooses to self-isolate or is forced into isolation due to severe symptoms, then the 2nd-order impact of this isolation is that they obviously can’t really do the things they do regularly. Some of these include:
- interacting with their friends and family,
- purchasing goods and services,
- creating goods or services, i.e., delivering economic or social value by going to work
Obviously WFH is an enabler to potentially manage the impact of not doing C, and online shopping is a potential enabler to manage the impact of B, and using social media, voice and video calls is an enabler to manage the impact of A.
But that’s still the picture for a single individual. Looking at the aggregate, you start evaluating the number of impacted elements, for example using data from the California Budget and Policy center detailing the number of jobs by industry most immediately impacted by COVID-19-related business reductions and closures. For example,
- Over 1 million people employed in physical retail
- Over 2 million people employed in leisure and hospitality
- Almost 60,000 in air transportation
- Almost 300,000 in logistics and other transport
The total for all these is over 17.5 million people. So let’s just say, based on a random $72k/year median household income for California, that within 8 weeks of not being paid, the total economic impact to California is almost $200 billion.
But that’s not the whole story, because everything is connected in today’s global economy, so if nobody’s going to work, then there’s a fixed supply of goods to be purchased to continue the economy—assuming people have money, so there’s a limit to the amount of time enabler B is viable. Enabler C only works as long as the job is viable without physical contact, and even then, based on my own estimates, initial productivity while trying to be confined at home during a pandemic is between 10-60% of normal, meaning that, obviously, a 40-90% reduction in the value created by those individuals.
Less value created by the individuals reduces the ability of the organization to provide services to people who buy, reducing the effectiveness of the enabler C, and, again impacting enabler B. And, at some point, as the economic stimulus and debt freezing illustrate, the money in people’s pockets will run out, sending the whole thing crashing to the ground.
In the aggregate, it won’t stop, because there’s too many people with money who won’t let that happen, both governments and private companies. They’ll do what’s necessary to invest and ensure the system survives, because, ultimately the existence of the system is what enables them to exist…
…and self-preservation is one of the most powerful motivators there is.
So what’s the point?
The point is that I just did all this in my head – a one-shot deal – and I’m sure I missed something, and I’m confident my numbers don’t really represent the subset of California workers impacted. I picked California simply because that was the first viable Google search result I got that gave me what I wanted to work the example, but, California is only one small dot in the global economy, and each of them have a network of relationships with similar dynamics.
The point is that architecture is what allows you to think about, prioritize, document and then use the elements and their relationships which are most relevant to what you’re trying to control. And, as security professionals, what we’re trying to control is the ability of our organizations to achieve their objectives. And the whole dynamic changes when that ability is impaired not only internally but simultaneously impaired by every external connection and relationship as well.
How do you know what you’re supposed to do—as a business or a security leader?
You build a model, either in your head like I just did, or more formally the way you learn about through SABSA or through the upcoming July cohort of Building Effective Security Architectures, where we spend quite a lot of time talking about these kinds of relationships, how to analyze them and why they are the real governance model you need to understand…
…not just some crazy, contradictory RACI chart someone throws together out of desperation to try and get people to do the right jobs at the right time.
While the models are ultimately very complex systems, the rules for building them are not. And the richer and more complete your model, the better job you’re going to do delivering the mission and purpose of security to keep the organization safe while it does whatever is important for it to do in the world.
While you might know the foundations from going though the official SABSA courses, there are some subtleties you need to understand if you want to build these kinds of models in practice. I should know, because I’ve taught the SABSA Foundation course to over 200 people over the years, and I’ve also built many of these kinds of models working with customers across industries and around the world.
Understanding these systemic, n-ary risk interactions is the key to successful risk management, regardless if you’re talking about cybersecurity, information security or any other type of risk. So if you want to learn how to really have the best chance of enabling and protecting your organizations, you might want to consider joining the next cohort of the program.
To do that, go here: https://archistry.com/besa
If you do it before Sunday, the 19th, you’ll even save $2,000 off the regular program investment, which could potentially go a long way given what we’re all going through right now.
If you were thinking about it before, and you didn’t join because you either waited too long or thought it was too expensive – especially if you’re self-funding your security skill development due to reductions or freezes in training and other expenditures during the crisis – then, dare I say, “Now’s the time.”
This is the second time I’ve done this kind of steep “Early Bird” discount, but there’s no guarantee that I’ll offer it again the next time I run the program. So if it’s right for you, the clock is ticking, because the $2,000 discount disappears at 11:59pm US/Easter on the 19th.
If you’re in, super. If you’re not, that’s totally ok too. This isn’t really the kind of program you can just hang out in the back and audit—or that you can get to it when you feel like it. You’re part of a live cohort, with a schedule of material and exercises for 7 straight weeks. That means it’s only for people who are serious about becoming more effective security architects…
…which shouldn’t be too surprising since that’s pretty-much the name of the program.
Andrew S. Townley
Archistry Chief Executive