Ambiguity is a reality in cyber security, cyber
risk mnagement, and cyber threat intelligence.
The path to answering, "what's going on here?" may simply not have a lot of clarity.
Less regulated industries in particular can be a hotbed of additional ambiguity
as executives balance the very strong competing priorities of revenue
generation and operational resilience with the friction that secure processes
and security controls can bring.
Team members new to
cyber security need to be prepared for dealing ambiguity in its many forms.
For instance, your job may be to implement a series of
security controls for compliance reasons. From a compliance perspective, that requirement
for the control may seem to be unambiguous at face value. What if any of those controls break or impact
the performance of key systems that generate revenue? What if there is the
perception that they will? What if the business process owner isn’t on board with
the risk because they are working on a project that the CEO has deemed is key
and critical to the business.
Now no one wants to implement the controls and there isn't clarity about who owns accepting the risk either.
In order to be successful, you’ll need to understand the
ambiguities and negotiate through potentially incomplete information to identify an owner that will either get the
control implemented, compromise an acceptable compensating control, or accept the risk. Seems easier than it may be.
Ambiguity can’t linger in a successful cyber security
program.
While those in regulated industries may scoff at the
example, many cyber security practitioners have to deal with this type of
ambiguity regularly. You may have to as well.
You’ll also need to prepare for technical ambiguity around evaluating
the efficacy of controls. Like people, all tools have strengths and weaknesses.
For any tool, we have a broad spectrum for how it performs. There are lots of terms
out there like perfect, “the standard”, “best practice”, “good practice”, good,
“good enough”, and “not to standard”.
What does your organization require from your tools? Some believe
that “good enough” isn’t. Others want perfect while still others believe that
perfect is the enemy of good. What happens if “best practice” doesn’t work for
your org?
You’ll be interpreting and deciding. Compliance might be
simple green, yellow, or red but the ambiguity of residual risk can be more
complex. This is why “checklist security” isn’t a high fidelity path to avoid a
breach.
“Depends….” may have to be an answer sometimesand checklists don't often include those checkboxes.
Effective cyber security and cyber risk are rarely binary endeavors.
Follow me on Twitter
for discussion and the latest blog updates: @Opinionatedsec1. Or, start your
own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read
it.
SEE ALSO
No comments:
Post a Comment