you're reading...
Information Security, IT & TECHNOLOGY

To Save Your Security, Learn to Move at the Speed of the Wild


Monkeys move with curiosity, agility and speed. When competing for a prize, they focus on their prize and use their knowledge to race to where the prize will be, not where it was. They quickly adjust their speed to match the speed of the situation. Creatures of the wild take advantage of their capabilities in their environment.

We can all stand to learn from these animals because a contributing factor to security failure root cause is frequently the organization’s inability to move at the speed of the wild.

After presenting at ISACA and IIA programs earlier this year, I heard a common statement from auditors: “it is all moving too fast.”

Auditors described how they attempted to apply audit methods (even good ones) and yet suffered security problems. “We just need more auditors,” said one in exasperation.

Will more auditors fix security? No. As those familiar with ISACA know, there is a big difference between the methods for daily use of a COBIT implementation and a periodic audit of a COBIT implementation.

  • Assurance is about whether policy, procedure, standards and such existed and were complied with at a past point in time. Audit “risk assessment” is about top priorities for audit, not about risk to specific business objectives in a dynamic world. Audit scope may be any agreed-upon bite-sized piece, not the organization’s entire dynamic world.
  • Security must happen every second of everyday. The scope is the entire living system with all its change, complexity and fatigue in people and equipment. Security must adjust to each change in actor, action, attack method, infrastructure configuration and timing.

Assurance methods may be used to audit whether appropriate security processes exist. Assurance methods should never be used to actually manage security—they are simply the wrong tool for that job.

Because assurance is about achieving business objectives, the audit function is central to assuring the right tool is used for the job.

The wrong tool for the job often increases risk and wastes time and money. Worse, it might provide a false sense of security and divert attention from higher priorities.

Looking to the future, the wrong tools will increasingly struggle as attackers learn more lessons in deception from the history of warfare, sports or the wild.

Methods must change. To meet the threat, methods must be able to move at the speed of the wild. Further, methods must succeed in the “dirty” wild—a system where users and devices frequently change.

Designed to move at the speed of the wild is the 5+2 Step Cycle for managing risk. Step 1 is “know the business,” including “dirty” environments. Step 2 is “what if?”—the heart of managing risk. By understanding the speed at which a scenario unfolds, a response can be designed in light of the entire system and how a system is likely to fail.

The 5+2 Step Cycle achieves this speed because it was designed to:

  • Be simple, to avoid adding complexity to system complexity and thus increasing risk
  • Save time and money—effectively creating resources thus easing the struggle to “prioritize”

A stark reminder of what happens when the response cannot match the speed of the situation is this new video from the U.S. National Transportation Safety Board. In aviation, the Commercial Air Safety Team (CAST) was created to avoid accidents. CAST’s award-winning progress was a fundamental shift.

In security, benefits of making the shift start with fewer ugly surprises, more actionable insight, and reduced time and cost. Your opportunity today is to shift to the right tools designed to move at the speed of the wild.

Brian Barnier
Principal Analyst & Advisor, ValueBridge Advisors, USA


About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 128,056 hits


@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,681 other followers

Twitter Updates


July 2015
« Jun   Aug »
%d bloggers like this: