The security opportunity in Digital

Four years ago I discussed some of the characteristics of cyber security that made the use of the term useful, this was at a time when the use of cyber security was widely derided by practitioners of IT security and Information Security. One of the common complaints was that Cyber was just the same things we had already been doing re-branded to seem ‘cool’. As time has moved on the practices of cyber have become clearer, the use of threat intelligence, the development of threat hunting, the increased focused on incident response, the wide deployment of behavioural analytics etc. As is the case early adopters knew they were solving new problems in a new way but the articulation of meaning to the later adopters has needed a body of activity and emerging practices to clarify how cyber security overlaps with but also differs from the other predecessor disciplines IT and Information Security (both of which are still going strong and are still necesary).

Another buzzword appeared soon after cyber and that was Digital. Digital is a customer-focused technology-first approach to business that again looked just like what we were doing before in technology and business activities. Over time practices have emerged, agile development, devops, infrastructure automation, cloud, mobile, social etc that have started defining what the early adopters really meant when they said Digital.

Digital lies in the intersection of velocity, scale and complexity.

As we adopt digital approaches across our businesses we will undergo a major change in the cadence of and approach to technology delivery. We will put customers at the centre of our systems and we will focus on an incremental and experimental approach to improving customer experience. This will require that we are prepared to fail regularly and that we are prepared to learn from failures without suffering from them.

  • Approaches to increasing delivery velocity include adoption of agile product management, lean product development, continuous deployment, devops deployment and use of automated cloud infrastructures. All of these require that we develop the capability to securely handle velocity, scale and complexity in a manner we have not previously.
  • The drive to increase our understanding of our customers will put a priority on customer telemetry, we will collect and analyse in real time larger and larger data sets that we increasingly throw away after the analysis.
  • The need for robust automated infrastructure to support digital transformation makes a business case for cloud adoption even without the underlying cost savings compared to on-premise provision. Modern Infrastructure-as-a-service cloud providers provide scalable and automatable platforms.

The adoption of Digital has significant implications for security, the first is that many of us designed and built our security processes and teams around traditional IT systems and fairly waterfall change or transformation processes. Digital adopters within large enterprises run into security friction very quickly mostly because the processes don’t accommodate the increased cadence, lack of speed and flexibility are seen as a security problem that needs to be fixed. This is missing the point and only really addressing the visible tip of the iceberg of change that needs to happen.

Traiditonal IT change deliveres systems that have a high MTTR (mean time to recover). The focus of traditional IT is stability and the avoidance of failure becuase failure is costly. This means traditional IT (and the security teams that partner with them) avoid risk, we increase governance to ensure risks are managed and focus on visibility of performance to avoid operational failures. Traiditonal IT is hostile to change as that presents new risks to operational stability leading to frozen systems we can never patch. The intense focus over 12-18 month delivery project to manage out all possible operation risk delivers systems which are meant to operate normally under all forms of expected stress even if administrators are not on hand.

Airbus A380 maneuvering in airshow
Positive Stability

Traditional IT builds systems that exhibit positive stability like jumbo jets. If a modern jumbo jet pilot is incapacitated after take off there is  very strong chance the plane would fly itself to it’s destination and short of an extreme weather event it would react to flying conditions successfully. Even while in the air there is little for a jumbo jet pilot really to do.

This contrasts with Digital Technology delivery which delivered systems that have a low MTTR. The focus of digital technology is agility, they are hungry to take risks, they want increased velocity, they want visibility of everything and are hungry for change. These are systems that are used to continually experiment and are resilient to major failure by being aware and responsive to minor failure.

Eurofighter
Relaxed Stability

Digitial technology delivers systems that exhibit relaxed stability like fighter jets. If a modern fighter pilot is incapacitated the jet is likely to plough into the ground more or less immediately as the pilot has to continually fly the plane. The real benefit is that the fighter jet is agile, has better situational awareness and is able to react to potential threats before they become real issues.

For those that have been keeping up with cyber this must be starting to ring bells. The bad guys are focused, agile, automated, responsive, joined-up and collaborative. The opposition were Digital before we knew what digital was and have taken advantage of that.

Russian fighter Sukhoi Su-34 flying
The opposition

In cyber we’ve been flying jumbo jets with the OODA loop you’d expect from a positive stability platform that focuses on avaoiding change but we’ve been facing the opposition in fighter jets with an OODA loop that beats us. This is Traditional IT limiting cyber defence.

Digital security requires security professionals to make some significant cognitive leaps, we need to truly undertsand that experimentation and taking risks in low MTTR environments leads to knowledge and that potential harms can be constrained by the speed of our response and ability to change at pace. The converse is that the technology function sstepping into digital need to realise that there is a trade off and that digital is not attempting to deliver high MTTR systems without managing out the risk and that frozen systems are not a valid outcome anymore. Taking risk means accepting change. This is a serious shift for security, methodologies and governance all need to be re-tooled with different set of underlying assumptions otherwise we will end up slapping fighter jet engineers on a jumbo body and hurting a lot of customers when it crashes hard.

Digital is a trade off and the benefit to security professionals is we end up in a much more evenly matched fight. Digital is a possible solution to the IT problem in cyber if we can get beyond the buzzword and really understand the practices and what the benefits as well as the costs to security are.

shooting fish in a barrel to a real fight