This is part of a larger post I’m doing for work. The quality assurance concepts are described in more depth in a previous post. I Will update this later with diagrams and etc. which will distinguish it further from the older posts. But, for now consider this a draft:
Cybersecurity is a quality assurance problem that occurs unbounded over time; what we are tackling is not a matter of fixing individual errors, but reducing the frequency of them to a level where we can continuously afford to remedy the ones that do happen. Multiplied by the increasing number of cyber systems we develop or change every year, the errors requiring mitigation are increasing constantly and will exceed defensive resources without a reduction in the rate at which they are made.
We must reframe the discussion to account for this “quality assurance” perspective if there is any hope of improving the quality of our cybersecurity posture. Direct experience has shown at least four areas requiring focused development to successfully broaden the cybersecurity dialogue:
1. Success Criteria: To date, much of the cybersecurity conversation has lacked coherent, actionable risk reduction objectives. The development of a “Common Operational Picture”, for example, is only a tool to reduce risk, not a strategic goal. Similarly, while a Minimum Level of Hygiene is a useful description of a suite of efforts, it does not speak to what the specific success of those efforts would look like. Instead, success criteria should speak to business and national security priorities to be enabled at defined performance levels in the face of cybersecurity errors. If we can begin to describe objectives in this way, we will be more successful at building mechanisms to achieve them.
2. Holistic Inclusion: Traditionally the area of IT or Security Specialist staff, an analysis of the timeline on which cybersecurity problems occurs leads to the observation that those roles have far less of an impact than those who are not specialized. Because of their role in defining success criteria and operating cyber systems, business leaders, operations staff, managers, procurement officers, and many others have far more impact on the state of cybersecurity over time than those in roles who focus on it.
3. Common Framing: It is very difficult to solve a problem as a group when those in the group, because of their backgrounds, have different ideas of what the problem actually is. Cybersecurity is a complicated, multi-dimensional problem which must be solved at several discrete, if interdependent, levels. Often, those who work in one level are not aware of the others or how they fit in. If asked what cybersecurity means, people in different roles may have wildly different answers. Even explaining what one cybersecurity tool or framework does versus another requires a common framing of cybersecurity that experience has shown to be lacking in most cases. Any national initiatives should take into account (at a minimum) this problem or actively work to solve it.
4. Trust: In today’s world, businesses are part of a larger system of industry, national, and world proportions. While competition is one aspect of that system, so is cooperation. Often mistakenly called trust, this focus area, should instead begins to carve out a formal space and culture for competitive peers to operate cooperatively in the interest of common success.