close
close

The cyber industry must accept that it cannot eliminate risks

Posted on by angelo
The cyber industry must accept that it cannot eliminate risks

When it comes to cybersecurity, we feel like we need to subject ourselves to a higher level of oversight than others. We are expected to be the standard – a whole level of unattainable perfectionism. So, what happens when a cybersecurity company falls foul of a simple mistake?

CrowdStrike can be considered a case study in this regard. I remember reading the technical statement and it was as “simple” as adding an extra field to a model and that’s what crashed everything. However, I believe this was not a simple case of a failed test, it was likely a series of events that culminated in a significant global problem. Sometimes this is called the Swiss cheese model, in which a set of defects or tests fail and all the holes in the cheese line up, allowing an event to occur.

But we have to accept that it has happened, and that’s because we can never truly eliminate technological risks: the sooner we change our perception of it, the sooner we can be prepared to effectively manage future incidents, or , above all, to understand the risks involved. improbable.

Recognize the systemic nature of risks

The CrowdStrike outage really highlighted the question: have we become too dependent on technology companies that all critically depend on each other within a large system?

The reason we use all these centralized cloud and SaaS providers is that the benefits often outweigh the risks. But if one of these large vendors were to experience an incident, it could have a widespread impact on many organizations that rely on its services.

This can create a “too big to fail” dynamic, such as in the financial sector, where the bankruptcy of a major player could have cascading effects.

I have found that in general, people have a good understanding of the risks that are personal to them. We all know it’s risky to cross a busy road during rush hour, but we mitigate this risk by using designated crossing areas. But, as human beings, we have little understanding of the large systemic problems that we face alike and the fact that we are potentially placing all of these risks on a handful of organizations. Is it time to start diversifying our technologies and not put all eggs in one basket?

Zero risk is not achievable

Let’s be honest with ourselves! As much as you would like to think you can eliminate all risks, we cannot.

We need to be realistic about the risks, otherwise organizations will spend endless time and money mitigating security control risks, which is neither practical nor pragmatic. If you end up coding until the cows come home, nothing will get published.

The focus should be on reducing risk to a reasonable and manageable level, rather than striving for absolute zero risk. There will always be a certain level to manage. I worked in the UK rail sector and there was a concept called “As Low as Reasonably Practicable”. I use this approach today and it has served me well.

Be transparent about residual risks

It is important to be upfront that some risks will remain, even after mitigation efforts, to set realistic expectations with stakeholders and senior management.

Don’t try to fool anyone by saying your organization’s risk will be zero: you need to be transparent with your stakeholders about how the function is being performed or what you’re working with. You can’t stand there and say everything is fine when it’s not and surprise someone if things go wrong. Transparency is not only important in the event of an incident: in many cases, it is even more important in preventing the incident itself.

Personally, I think CrowdStrike did everything it could to respond well to the incident. They were open and honest, communicated clearly with customers and stakeholders, and devoted a lot of resources and effort to public relations, relationship management, and, most importantly, technical assistance. You can see this from the constant updates and remediation tips posted online. But no matter what an organization does, it can never truly eliminate risk in its systems and promise it to the world.

The key is to find the right balance. It is crucial to keep security measures and incident response simple and easy to implement, otherwise they risk being neglected. At the same time, organizations must be transparent enough to maintain trust, manage risks at an acceptable level and implement practical solutions that can be systematically followed.