Cybersecurity is one of the most important and challenging issues of our time, one with which many organizations are struggling. In the following guest post, John Doernberg takes a look at the ways we talk about cybersecurity and asks whether the language we use may be part of the problem. John is an Area Vice President at Arthur J. Gallagher & Co. in Boston and leads that office’s Cyber Liability Practice. A version of this article previously appeared as a LinkedIn post, here. I would like to thank John for his willingness to publish his guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s post.
“Plans are useless but planning is essential” — Dwight Eisenhower
The language we use to discuss cybersecurity is vivid and colorful. It is frequently martial: there are wars, battles, silver bullets, kill chains, rogues and of course enemies. At any given time we are either winning or losing. Superlatives abound: we face the “greatest threats” or even “Cyber Armageddon,” which we of course try to avoid through the use of “best” practices.
Yet while the language we use remains largely stark and immoderate, cybersecurity defenses have themselves become increasingly nuanced and tempered. As organizations have adapted in their ongoing struggle with both malice and negligence, two core tenets are now widely accepted: (1) the most cost-effective risk management practices for any organization will depend upon its unique risk profile, business realities and priorities, and (2) proper cyber risk management must be coordinated and continuous rather than disjoint and intermittent.
Maybe it’s time for the language to catch up with, reinforce and guide behavior.
Change the Frame, Change the Behavior?
Instead of thinking about cybersecurity in such extreme terms, we might be better served by a conceptual framework that incorporates nuance and persistence. Social scientists often refer to “wicked problems,” such as healthcare or poverty, which are different in nature than difficult but “ordinary” problems. Wicked problems usually have certain characteristics:
- They do not have a single root cause and are interwoven with other problems.
- They do not have a simple solution — initial efforts to solve a wicked problem instead reveal new dimensions of the problem.
- Trying to solve one dimension of a wicked problem in isolation is futile.
- While solutions to ordinary problems can be objectively assessed as right or wrong, solutions to wicked problems are mostly a matter of judgment.
- The most successful approaches to wicked problems incorporate (1) people with different domains of expertise, (2) trial and error, and (3) recalibration and adjustment based on experience and constant learning.
- Progress on wicked problems requires flexibility, collaboration and pragmatism.
It may be helpful to think about cybersecurity as a kind of wicked problem. Like wicked problems, cybersecurity cannot be addressed in isolation from other corporate concerns and priorities. It doesn’t have a single definable resolution and must be addressed continuously based on rapidly changing circumstances; what seems to work well today may be ineffective at addressing new threats. Finding the right “solution” means only determining the preferred balance among competing organizational interests. It is not a perfect metaphorical fit, but as the scientist and statistician George Box said, “all models are wrong, but some are useful.”
A “wicked problem” conceptual framework may also subtly shift how companies integrate expertise across the different domains. Domain expertise is essential but insufficient — a gathering of superstars rarely produces the best team. Both the internal principals and the external advisors (such as lawyers, cybersecurity specialists, insurance brokers) need to be “smart in their silos,” but they must also understand that the success of their collective endeavor requires breadth as well as depth, and the ability to coordinate and mesh their roles as seamlessly as possible for the long haul.
The Disadvantages of a “Best Practices” Mindset
It may also be time to rethink the “best practices” ethos rampant in cybersecurity circles. Its popularity is understandable. When companies say they are taking a “best practices” approach to cybersecurity, they are signaling to internal and external constituencies that they take cybersecurity seriously and are implementing strong risk management practices.
But a “best practices” paradigm for cybersecurity defense seems to reflect an approach that treats causes and effects as discrete, predictable and consistent. As David Snowden describes in his Cynefin Framework, however, “best practices” work in simple situations where cause-and-effect relationships are predictable and repeatable. One can assess a situation clearly and devise a response that is always the optimal approach — that’s why they are “best” practices.
Anointing particular practices as the “best” suggests there are risk management choices that yield consistently optimal results, and that the alternatives are always worse. That is not the case in the realm of cybersecurity. Each organization’s “best” approach requires finding the balance point among its particular risk profile, budgetary and other business needs. It calls for a thoughtful assessment of a company’s unique characteristics and the inevitable tradeoffs required in choosing a course of action.
A “best practices” mindset also encourages focusing on discrete risk management practices rather than on finding an equilibrium among risks, priorities and resources. For example, many would consider two-factor authentication a “best practice” for reducing the risk of phishing and other social engineering attacks. Forcing employees to use two-factor authentication, however, can cause widespread annoyance at the additional inconvenience and may hamper productivity — and many companies have thus far declined to implement it for these reasons. A company can reasonably determine that the most desirable balance point among its various priorities makes two-factor authentication — or any specific risk management practice — an inferior choice. By focusing solely on the efficacy of a cybersecurity defense in isolation, a best practices mindset may not give adequate weight to other factors highly relevant to any particular organization and therefore may skew the organization’s decisions choices.
Something similar to an “adaptive practices” mindset may better reflect two of the central realities of cybersecurity: (1) that the nature of the threat is constantly changing, and (2) that the most effective defenses will emerge from the virtuous cycle of experience and learning, together with the ongoing interplay among personnel from all relevant departments and advisors. If a company changes from a “best practices” mindset to something like an “adaptive practices” mindset, it may more naturally integrate ongoing monitoring, collaboration and updating into its cybersecurity risk management.
An “adaptive practices” paradigm reinforces that a company’s risk management decisions should reflect its particular risk profile, corporate priorities and business realities at any given time. This kind of paradigm explicitly injects context into the decisionmaking process. This can have favorable corporate governance implications as well. Regulatory agencies become more assertive in challenging whether breached organizations had taken adequate steps to protect sensitive personal information, and plaintiffs’ lawyers become more creative in filing class action lawsuits following cybersecurity breaches — in each case with the benefit of hindsight. If companies that articulate the context in which cyber risk management choices were made and the decisionmakers’ explicit efforts to find the right equilibrium for the company at that time, they may rebut hindsight’s power to make breaches seem almost inevitable when decisions are assessed in isolation.
Help is Available
Companies seeking to adopt or reinforce some version of an adaptive practices mindset can take advantage of many available resources. The savviest external advisors (such as breach prevention services, legal counsel, insurance brokers) are increasingly offering themselves as year-round partners rather than episodic fee-for-service providers. Among the published cybersecurity guidelines, the NIST Framework, currently being updated, may best embody the approach of treating cybersecurity as a dynamic, integrated and contextual problem with no prescribed solution. The NIST Framework encourages organizations to make clear-eyed assessments of their data assets, vulnerabilities, goals and priorities as they decide which cybersecurity practices best fit their particular needs.
Would changing the metaphorical framework for cybersecurity make any difference? It would be naive to think that merely changing the vocabulary will change how people design and implement their cybersecurity practices. Vocabulary is not destiny. It may be, however, that changing the conceptual framework will help reinforce that cybersecurity risk management is a constant process that requires frequent reassessment and adaptation and does not result in an identifiable victory. It may help shift people away from thinking that cybersecurity is a problem to be “solved” toward understanding that it is a challenge to be continually addressed based on changing circumstances and emergent practices.
A more nuanced cybersecurity vocabulary may contribute to what is most important: that organizations have cyber team members who can work across departments: CISOs who know how to establish priorities based on the organization’s goals and budgetary realities, IT people who appreciate the importance of the human dimension, outside lawyers who can integrate the several practices within their firms that have traditionally addressed cybersecurity issues within their particular realms, and insurance brokers who understand the relevant coverages and who have the knowledge and tools to help companies address the core 360° of cyber risk management. Companies that coordinate several sources of cybersecurity knowledge will likely find that they have created a “virtuous loop” of information and feedback. This process should lead to improved risk management practices that continue to emerge from the ongoing interaction among cybersecurity resources.