To Save Your Security, Learn to Move at the Speed of the Wild

Monkeys move with curiosity, agility and speed. When competing for a prize, they focus on their prize and use their knowledge to race to where the prize will be, not where it was. They quickly adjust their speed to match the speed of the situation. Creatures of the wild take advantage of their capabilities in their environment.

We can all stand to learn from these animals because a contributing factor to security failure root cause is frequently the organization’s inability to move at the speed of the wild.

After presenting at ISACA and IIA programs earlier this year, I heard a common statement from auditors: “it is all moving too fast.”

Auditors described how they attempted to apply audit methods (even good ones) and yet suffered security problems. “We just need more auditors,” said one in exasperation.

Will more auditors fix security? No. As those familiar with ISACA know, there is a big difference between the methods for daily use of a COBIT implementation and a periodic audit of a COBIT implementation.

• Assurance is about whether policy, procedure, standards and such existed and were complied with at a past point in time. Audit “risk assessment” is about top priorities for audit, not about risk to specific business objectives in a dynamic world. Audit scope may be any agreed-upon bite-sized piece, not the organization’s entire dynamic world.
• Security must happen every second of everyday. The scope is the entire living system with all its change, complexity and fatigue in people and equipment. Security must adjust to each change in actor, action, attack method, infrastructure configuration and timing.

Assurance methods may be used to audit whether appropriate security processes exist. Assurance methods should never be used to actually manage security—they are simply the wrong tool for that job.

Because assurance is about achieving business objectives, the audit function is central to assuring the right tool is used for the job.

The wrong tool for the job often increases risk and wastes time and money. Worse, it might provide a false sense of security and divert attention from higher priorities.

Looking to the future, the wrong tools will increasingly struggle as attackers learn more lessons in deception from the history of warfare, sports or the wild.

Methods must change. To meet the threat, methods must be able to move at the speed of the wild. Further, methods must succeed in the “dirty” wild—a system where users and devices frequently change.

Designed to move at the speed of the wild is the 5+2 Step Cycle for managing risk. Step 1 is “know the business,” including “dirty” environments. Step 2 is “what if?”—the heart of managing risk. By understanding the speed at which a scenario unfolds, a response can be designed in light of the entire system and how a system is likely to fail.

The 5+2 Step Cycle achieves this speed because it was designed to:

• Be simple, to avoid adding complexity to system complexity and thus increasing risk
• Save time and money—effectively creating resources thus easing the struggle to “prioritize”

A stark reminder of what happens when the response cannot match the speed of the situation is this new video from the U.S. National Transportation Safety Board. In aviation, the Commercial Air Safety Team (CAST) was created to avoid accidents. CAST’s award-winning progress was a fundamental shift.

In security, benefits of making the shift start with fewer ugly surprises, more actionable insight, and reduced time and cost. Your opportunity today is to shift to the right tools designed to move at the speed of the wild.

Brian Barnier
Principal Analyst & Advisor, ValueBridge Advisors, USA

[ISACA]