You are currently browsing the category archive for the ‘art’ category.
This is part of a larger post I’m doing for work. The quality assurance concepts are described in more depth in a previous post. I Will update this later with diagrams and etc. which will distinguish it further from the older posts. But, for now consider this a draft:
Cybersecurity is a quality assurance problem that occurs unbounded over time; what we are tackling is not a matter of fixing individual errors, but reducing the frequency of them to a level where we can continuously afford to remedy the ones that do happen. Multiplied by the increasing number of cyber systems we develop or change every year, the errors requiring mitigation are increasing constantly and will exceed defensive resources without a reduction in the rate at which they are made.
We must reframe the discussion to account for this “quality assurance” perspective if there is any hope of improving the quality of our cybersecurity posture. Direct experience has shown at least four areas requiring focused development to successfully broaden the cybersecurity dialogue:
1. Success Criteria: To date, much of the cybersecurity conversation has lacked coherent, actionable risk reduction objectives. The development of a “Common Operational Picture”, for example, is only a tool to reduce risk, not a strategic goal. Similarly, while a Minimum Level of Hygiene is a useful description of a suite of efforts, it does not speak to what the specific success of those efforts would look like. Instead, success criteria should speak to business and national security priorities to be enabled at defined performance levels in the face of cybersecurity errors. If we can begin to describe objectives in this way, we will be more successful at building mechanisms to achieve them.
2. Holistic Inclusion: Traditionally the area of IT or Security Specialist staff, an analysis of the timeline on which cybersecurity problems occurs leads to the observation that those roles have far less of an impact than those who are not specialized. Because of their role in defining success criteria and operating cyber systems, business leaders, operations staff, managers, procurement officers, and many others have far more impact on the state of cybersecurity over time than those in roles who focus on it.
3. Common Framing: It is very difficult to solve a problem as a group when those in the group, because of their backgrounds, have different ideas of what the problem actually is. Cybersecurity is a complicated, multi-dimensional problem which must be solved at several discrete, if interdependent, levels. Often, those who work in one level are not aware of the others or how they fit in. If asked what cybersecurity means, people in different roles may have wildly different answers. Even explaining what one cybersecurity tool or framework does versus another requires a common framing of cybersecurity that experience has shown to be lacking in most cases. Any national initiatives should take into account (at a minimum) this problem or actively work to solve it.
4. Trust: In today’s world, businesses are part of a larger system of industry, national, and world proportions. While competition is one aspect of that system, so is cooperation. Often mistakenly called trust, this focus area, should instead begins to carve out a formal space and culture for competitive peers to operate cooperatively in the interest of common success.
With all the blah blah blah going on about CISPA, I’ve managed to keep my mouth shut about it for awhile, but it turns out I do have something to contribute to the dialogue (or, I think I do :) ).
I’m not going to review the language of the bill – I’m sure it’s terrible. Most cyber legislation is. It can’t not be. They all go too far, lack clarity of language, introduce unforeseen escalations of government rights, etc.
There’s no need to go over the givens. :)
So, then, what? Well, after I finally read CISPA and the surrounding reporting, what I noticed was that very few people seem to understand that the bill didn’t come out of nowhere. The language in it, the motivations behind it, the structure of the bill, etc…all of it… completely reflects the information sharing discussion that’s been going on between those engaged in public/private partnership cyber security activities for years. It’s not just a random congressional fart. Anyone who has been part of that discussion should recognize the bill as an old …if not friend…sparring partner.
For those who don’t know, there is, in this space, an institutionalized gridlock in the debate about information sharing. CISPA clearly is an attempt to remedy this very, very specific gridlock. It’s not a general cyber security bill. It’s not even a general information sharing bill.. It is designed to address the perspective that the government has information it won’t share, that clearances have been roadblocks, and that legal ambiguities have prevented sharing.
Now, while I happen to think that some of these are in fact roadblocks, I also know CISPA doesn’t touch the heart of what the most severe and core information sharing problems are. But, unfortunately, I’m in the minority. A great number of otherwise intelligent people do believe in what it’s trying to accomplish, typically terrible language notwithstanding.
Maybe no one else finds this worth noting, but I at least thought it was unusual that the structure of the existing conversation is so clearly reflected in a piece of legislation…
(The following was written for the upcoming NESCO Energy Sector Cyber Security Risk Management Town Hall program book.)
I’ve seen people fly, I’ve seen birds fly, I’ve seen a horse fly, I’ve even seen a house fly, but I’ve never seen an organization fly. And, as silly as it might seem, this really does have significant implications for managing cyber risk – especially when we look incredulously at the many public compromises and wonder “why does it keep happening?”.
A good way of approaching that question is to look at where cyber risk management is “succeeding”. Succeeding? Yes! Cyber risk is, in fact, being managed – and quite well! If you doubt this, you might need to ask yourself important questions like “Which risks are being managed?” and, more importantly, “Which risks to *whom*?”
What I mean to say is that, while organizations can have an effect on the world around them, they can’t actually be seen or touched. They’re not tangible and they can’t…”fly”. Instead, they are the conceptual sum of the many varied decisions of individual people. These conceptual sums are inanimate; they cannot – and do not –feel risk. Instead, it is their executives, owners, employees, and customers who feel risk. Their soft squishy human hopes, dreams, passions, fears, biases, moods, and biochemistries ultimately drive organizational “risk tolerance” and we should never forget it. Here, it’s crucial to understand that people almost exclusively put risks to themselves ahead of all others (including an organization’s).
So, then, if the “collective” risks to individuals do trump all else, where do we look for ownership and resolution?
Well, some would say “users”, but do “users” (or “individual performers”) care more about meeting their boss’s expectations or saving the intangible organization from invisible adversaries and hidden costs without direction? Probably the former.
Further, while “the bosses” who set these expectations might see that the cyber problem exists, their primary risks resolve around meeting their own senior leadership’s expectations as well.
Ok, but isn’t IT Security key to cyber risk management? Not really. IT Security, like any other group, must align themselves with their senior leaders’ and executives’ priorities. Without that alignment they hold no sway or effect.
So, then, it’s on Executives. Senior leaders, what drives your risk appetites?
I ask because cyber risk management is a hard problem. Aren’t you safest if you follow best practices and “buy Cisco”? Ultimately, if you do and your organization gets compromised, what happens to you? Most likely very little – you did your best after all. Is it even in your best interest, then, to know cyber is a hard problem? If you’re aware that best practices have been failing like communism, aren’t you then obligated to come up with solutions of your own? Wow. No way. It’s best to believe the hype; best to buy Cisco; best to keep transferring the risk.
Intentional ignorance (or lack of “awareness”) isn’t just bliss, it also reduces risk to those people directing organizations and dictating the priorities of their human building blocks.
Hey! Long time no post. As a quick follow-up to the last few posts, our Cyber Security in Transportation Conference ended up with 300+ attendees from industry and government!. It was fun, educational, and wildly successful.
Now, I’m back here to encourage you (if you have a personal or professional interest in Energy Critical Infrastructure Cyber Security and/or Risk Management) to attend the Security Risk Management Practices for Electric Utilities Town Hall in New Orleans this May 30-31 put on by NESCO.
I’ll be speaking as part of a panel and am looking forward to some fantasic conversations! More info below:
Electric Sector Cybersecurity Town Hall
Security Risk Management Practices For The Electric Sector
Presented by: National Electric Sector Cybersecurity Organization
Hosted by: Entergy – http://www.entergy.com/
Security risk management is a topic of continued discussion in the electric sector.
It can be a daunting task and often overwhelming when faced with trying to
implement the many security risk management models available.
This town hall style meeting brings together many of the industries leading
security professionals to explore security risk management practices for the
electric sector in depth.
You will have the opportunity to participate in open discussions with security risk
experts, hear about solutions implemented by utility security teams and learn
more about industry specific security risk management guidelines.
You are invited to be part of this important meeting.
For more information click here http://nescotownhall2012.eventbrite.com/ or call
Abbie Trimble at 503-446-1223 or firstname.lastname@example.org
William N. Bryan - Manage Risk Before It Manages You
US Department of Energy, Deputy Assistant Secretary, Infrastructure Security
and Energy Restoration
Matthew Light - Overview of the Cyber Security Risk Management Process
U.S. Department of Energy, Infrastructure System Analyst
Patrick Miller - Electric Sector Risk Management – Past, Present and Future
National Electric Sector Cyber Security Organization (NESCO), Principal
Katie Jereza - Aha! Valuable Tools for Managing Supply Chain Risk
Energetics Incorporated, Program Director/ U.S.Resilience Project, Liaison
Brandon Dunlap – Brightfly, Managing Director of Research
Prudence Parks, United Telecom Council, Director of Government Affairs and
Robert Coles, National Grid, CISO & Head of Digital Security and Risk
Dave Lewis, AMD, Senior Information Security Analyst
Ben Tomhave, Lockpath, MS, CISSP, Principal Consultant
Craig Miller, NRECA, Senior Program Manager
Jack Whitsitt, TSA/DHS, Team Lead, Cyber Security Awareness and Outreach
Louis Dabdoub III, Entergy, Manager, Corporate Security
Mark Ellister, Eugene Water and Electric Board, Sr. Security Specialist
For more information click here http://nescotownhall2012.eventbrite.com/ or call
Abbie Trimble at 503-446-1223 or email@example.com
Presented by the National Electric Sector Cyber Security Organization(NESCO),
a program of EnergySec
UPDATE: Please see this link for the most current agenda. The one in the post is outdated: http://sintixerr.files.wordpress.com/2011/10/cyber-program_1020.pdf
So, one of the things I get to do as part of my job which has been pretty exciting is to put together the agenda for our 2nd annual Cyber Security in Transportation summit. It’s happening November 1 & 2 this year in the DC area and is going to be full of outstanding talks for all ages and backgrounds. ;) The summit is aimed at executives and decision makers from within the transportation industry who might be effected by cyber security or whos actions may affect the security of their organizations. We’re covering general cyber security themes as well as transportation specific ones. If you’re in the transportation sector – pipeline, aviation, freight rail, mass transit, highway & motor carrier – and want to attend, let me know at firstname.lastname@example.org.
The tentative agenda currently looks like this:
Summit Schedule (Click for Larger)
Industry Case Studies
Four discussions of transportation-specific cyber security concerns and perspectives: Incidents, Best Practices that worked, Lessons Learned, Soap Box Scenarios , etc.
Based on outcomes of this summer’s Transportation Cyber Security Exercise
Representatives of the Maritime mode will discuss topics of common interest
General Cyber Security Awareness Talks & Panels
Panel: Offensive Perspectives
Non-technical perspectives from well-known offensive researchers
Panel: Threats in the News
Current threats in the news such as APT, Stuxnet, and Anonymous
Panel: Executive Perspectives
Concerns and solutions in today’s environments
Panel: Risk Management
Cybersecurity impacts on business risk management
Verizon Data Breach Incident Report
An empirical overview of current trends
Ups, downs, concerns and impacts of social networking on cyber security
Users and Awareness
Exploration of the most critical aspect of cyber security: Users
Verizon Data Breach Incident Report: Bryan Sartin/Verizon Business
Industry Case Study 1: Boeing Mike Garrett/Boeing
Panel: Offensive Perspectives: Kevin Finisterre Ruben Santamarta Mark Fabro
Social Media: Patrick Gray/CISCO
Panel: Maritime Stakeholders (USCG & Industry)
Panel: Threats in the News: Scot Terban (Anonymous) Liam O Murchu / Symantec (Stuxnet) (APT)
Industry Case Study 2: Transportation Control Systems Darryl Song/Volpe
Keynote: Vice Admiral Parker/ USCG
Panel: Executive Perspectives: Amit Yoran/Netwitness Gus Hunt/CTO of CIA
Users & Awareness Mike Murray/MAD Security
Panel: Risk Management Jack Johnson/PWC Russell Thomas Jack Whitsitt