See things clearly
In addressing, “Cyber Security and Global Interdependence”, Dave Clemente of Chatham House discusses the ‘security implications emerging at the intersection of cyberspace and infrastructure’. One of his conclusions is that,
“Meeting these security challenges requires better shared understanding of what is critical between those who protect an organization and those who set its strategic direction.”
Similarly, during a panel session at the recent Infosec 2013 conference, Avtar Sehmbi, head of information security at Centrica said,
"It's taken me years and years to work out the business perspective first and then look at the risk perspective, although they intertwine.
You do need some kind of engagement strategy. You're selling what you're doing, your initiatives and your views on risk. It's really crucial.
You're expected to know all the intricate details, as well a holistic picture..."
Geraint Price and Keith Martin also espouse the need for clarity in a world undergoing increasing interconnectivity and ‘accelerating pace of change’,
“...there is a need for improved interaction between business and security units to address the fundamental challenges. One of these is that the risks in cyberspace are hard to judge and analyze; indeed, in many cases, experts disagree about the severity and scale of threats in cyberspace.
We also struggle to make balanced trade-offs between risks and benefits, in part because we don’t have the right language within which to frame their analysis..."
In the ‘sketch notes’ for his presentation, “In cyber space no one can hear you scream”, Dr Price emphasises some key points:
So the key question is how can the cybersecurity industry improve communication and create more clarity? Where is the common language it needs to best secure today’s business critical flows of data?
This is a topic we’ve blogged about a few times, here are some extracts,
“...to some degree your organisation can be considered as a “refinery” - instead of processing oil, it processes data... clarity can only be created when you can clearly see and easily communicate how the assets of the business (including people) interact with flows of data” [more]
“Oil refineries are hugely complex yet they rarely suffer failures – why? Because the industry understands and can easily communicate the complexity of the business...digital flows (representing product flows) are clearly understood and constantly monitored” [more]
“In Oil & Gas...Computer models allow all relevant stakeholders to see clearly how individual assets interact ... And easily understandable maps...are printed from the computer models to enable clear communication between business managers and technical specialists” [more]
“Today, the reason so many IT projects fail, or are vulnerable to outages, or are compromised in a cyber attack, is that there is a lack of comparable clarity about how data flows through and between organisations” [more]
“Our breakthrough modelling technology models how assets that enable and support data flow - people, process and technology - interact...[producing] simple maps of the business that are easily understandable to all stakeholders...[helping them] make the best-informed decisions about minimising risk to data flow reliant physical systems and networks” [more]
To create the best chance of managing cybersecurity successfully the key is to understand how data flows through your people, process and technology.
Price and Martin argue that for security experts, “there is definitely a need for some new approaches.”
Here at OBASHI our new approach has evolved from the decades old, tried and tested techniques of the process industries.
We think it is a powerful, yet simple way for smart security professionals to address a key challenge outlined at Infosec 2013,
“to speak convincingly in a language that mere mortals can understand."
What do you think?
Add a Comment