Chemistry and Ethology of the Cybersecurity Tiger
When something is complex, use a model
An essential method to understand complexity is using a model. The model will help us understand, and by choosing an appropriate model we can explain the past and forecast the future of a system. The components of the model are the object, the actions that the objects can perform, and how the objects are organized and interact with each other, their relationships. This is how we could, in principle, understand a pack of tigers.
In cybersecurity we need to model organizations and their information systems. The most frequent model used for information systems is the “Asset”. At what level of complexity does the asset sits? Is it an application distributed across multiple zones? Is it a single laptop on the desk of a worker? No one knows for sure, and very often you will find risks assessments, business continuity plans, or audits, where different levels of complexity mix freely. This leads to a higher effort than necessary, which translates into higher cost and duration of the project, and a permanent sense of uncertainty. Did we complete the assessment, audit, analysis? Who can say? We could split this application into frontend backend, database, and a myriad of components? Are they assets?
Professionals very often try to tame this tiger by simply ignoring it. Others try to understand the tiger by looking at its chemistry… What proportion is carbon, oxygen, hydrogen? But even if you knew everything about the chemistry or even the inner works of every organ, that will not explain how it hunts or mates.
The best model is a model that drives action. Whatever assessment is performed will find something to be improve or fixed. The only way to drive that improvement is to determine who will do it. That is why the best model uses ownership as the right complexity level where to focus any analysis or assessment. Who owns these systems? John! Ok, so let’s call all these group of systems an asset, and let’s assign the fixes and improvements to John.
I can contribute a trick to determine who is the owner of something. It is not the admin, often, but it can be. It is not the person who pays the bills for it, but it could be, and it is necessarily the person who obtains the budget for it. It is the person with the least responsibility who has the power to shut down that system and replace it with something else. This tip was lifted directly from the novel “Dune”: He who can destroy a thing, can control a thing, Frank Herbert
If you model this way, you will have a far better opportunity to improve the security of the tiger you care for.
To learn more
This article is part of a series that starts here: Principles of Evidence Based Cybersecurity Management
Or watch this article as a video