Marching along well into 2018 and I think it’s safe to say we’re not experiencing a cybersecurity revolution.  Sure, there has been some great advancement in tech, with AI and blockchain applications beginning to steam roll.  It seems if you add “blockchain” to whatever you’re doing, you’ll get a bump in business.  Really, this happened in late 2017.

And as an aside, “blockchain” should not be synonymous with cryptocurrencies.  They are distinct from each other.  I personally think the blockchain technology is fantastic, but I am still a bit of a skeptic on the cryptocurrency front if you missed the initial few “investment” waves.  With that said, economic realities throughout the world do make cryptocurrencies attractive to many, so I am not writing them off.  Just too soon to tell for me, which means I see them more as a speculative commodity – today – instead of a means of conducting daily financial transactions.

So great, we have a lot of tech progress, but what does that mean for keeping our data protected?  Well, because we haven’t seen the “cybersecurity revolution” mentioned above, my feeling is that we’re still tripping over ourselves, which means we’re still getting the basics wrong.  If you need a refresher on some of the basics, here is an older post from the summer of 2017.  Half a year plus later, everything still applies and that tells me that there is something fundamentally wrong with how we approach our cybersecurity problems.  And I’m going to present to you one of the most galactic-sized problems we face.

I have often said that you shouldn’t use “security” and “efficiency” in the same sentence (okay, I know I am here, but it’s to define context!).  The reason is quite simple: the terms are contradictory in nature.  But I continue to hear nonsensical comments like “efficient cybersecurity” and it makes me wonder: do these people have a clue?

I get it, we look for efficiencies because – at least in theory – efficiencies make us more productive and better productivity means greater profits (or whatever “metric for success” you use).

Efficiency, as a concept, works great when you don’t have these cataclysmic costs hit you every so often (in this case, we call them the painful cyber breaches).  And why is that?  It’s because efficiency makes you, wait for it: efficient.  Efficiency doesn’t make you strong, resilient, robust, or antifragile.  It just makes you efficient, which in many cases means you build fragility into your system.

Let’s visualize this.  Think of an artistic glass sculpture.  It’s gorgeous, a total masterpiece.  The sculptor has used every technique in the book to make this piece of art look the way it does.  In terms of art, it is the most efficient use of glass known.

And then I drop a glass marble on it and the entire thing shatters.

That’s what we’re doing in our supply chains, enterprises, and if we are utterly foolish (we have a good track record of doing that) our soon-to-be “smart” cities (note: “smart” cities are actually pretty dumb, but that’s for another post).

We always look at things from the upside.  We look at “what can be made” most of the time.  This is a good thing to be honest.  Being positive is good for the soul and helps us innovate.  But there is a looming downside that we are pretending doesn’t exist in many ways.  We rarely look at “what can be lost” in these cases.

The problem is that a couple decades of building fragility into the system means that there are more ways for things to be lost now and our blinders are, in large part, a function of this entire “efficiency worship” in the business world.

And that’s why I think security measures are not getting any traction because security is really this: a redundancy.

So here is my easiest way of explaining it: what is the “most efficient” way into your house?  It’s a house with no door.  Efficiency means reducing impediments, or put another way, a redundancy.  A “door” is an impediment to you entering your house, making it a redundancy.  A lock on the door is another impediment (redundancy).  Just like a fence.  Or a security guard.  Or a moat!

So why do we build all these redundancies into our homes?  Simple: because we want to protect our homes.

That’s the mindset change that’s required if we want to emphasize the security in cybersecurity: build redundancies, reduce fragility, and be capable of withstanding shocks.  Is that more expensive on the front end?  Yes.  But we’ve entered the age of “massive” shock where billion dollar losses are within the realm of the possible.  Not many companies can survive that and unless we go down the “too big to fail” road, government subsidies to help weather losses of the big corporations is not a likely option.

Efficiencies in business are great, but in order for them to be effective, a precondition needs to exist: nothing goes wrong.  We’re finding out in the cybersecurity world – something that touches everything – a lot is going wrong.

 

 

By George Platsis, SDI Cyber Risk Practice

March 6, 2018