Swatting the angry wasps

If you've ever watched a group of 6 year old kids playing football (or soccer if you're North American), you will understand what I mean straight away. They all crowd around the ball, screaming incoherently, all trying to play. Frankly, they're rubbish. They are like a swarm of angry wasps, except that they're slightly less intelligent.

Sometimes you will see, standing off at the side, a clever one. They are 'in space' as the football pundit parlance goes. Give them the ball, and they'll have time to do something constructive. They don't get the ball often, because the angry wasps are keeping it to themselves.

This is the perfect analogy for many organisations. So often, a new initiative is launched, and all the dimwits crowd round it, screaming incoherently. They kick, shove, scream - and are normally ineffective. Sometimes, you have to get yourselves into 'space'. In football parlance, what you need is someone who can 'put their foot on the ball'. These are guys who stop the madness (normally only for short periods), look around, and then pass the ball to someone in space. The greatest footballers are normally those who can put their foot on the ball, look around, and then do something constructive with it.

We security types often behave like 6 year old children. We follow the latest edict or trend, crowd round the ball and scream. It's not just technical issues that get treated like this. It could be something like sales. The cry goes up - 'We need to improve our pipeline' - and we all drop everything. This is where the problem starts. We can't sell without products, and so often, all our effort goes into sales. We can't get better products or services without helping our people improve. Training and education is so often the first item to be struck off the budget - especially when 'we need to improve our pipeline'. We have to deliver our Business As Usual (BAU ) services. This can be forgotten. If you're BAU is rubbish, people find out about it pretty quickly. Then they go and tell other people. This makes your sales effort harder.

In the short term, by concentrating solely on sales, we may have successes - improving the pipeline. We will not have improved our products our people. You cannot sustain sales without improving your people and products. The three pillars of BAU delivery, service/people (or product) improvement and increasing your revenue cannot exist in isolation. They are totally symbiotic. There are other such magic triangles, such as Good, Quick and Cheap. You can only get two of the three at any one time. If it's cheap and quick, it won't be any good. If it's good and quick, it won't be cheap.

In my triangle, you need all three. If you fail to manage one element, in time, you will fail. Remember, sometimes you should put your foot on the ball. My favourite footballers were such men. Graeme Souness was famous for taking the time to stop, look up, and then do something devastating with the ball. The late, great Billy Bremner was another of the same type. What is also notable about the two of them is the fact that they were amongst the most aggressive, no-nonsense players you could imagine. Bremner in particular took no prisoners.

Don't act like a 6 year old kid. Act like a midfield maestro  but remember to deliver the occasional kicking when required.

Whatʼs in a word? Cyber Security and reality

There are a number of terms currently being used by security practitioners that really annoy me. Threat vector. Threat landscape. The worst is Cybersecurity. What a wonderful word. Itʼs real beauty is that it means whatever you want it to. It is now shortened to ʻcyberʼ- and is used and misused across the word by serious professionals, semi-literate journalists, snake-oil merchants and associated charlatans alike.

Having said this, it has undoubtedly grabbed a lot of attention. Where IT Security and Information Security failed (pretty spectacularly to be honest) - Cybersecurity has flourished. Board members are concerned about ʻcyberʼ. Governments run scared of ʻcyberterroristsʼ. ʻCybercriminalsʼ wait everywhere, desperate to desecrate ʻthe Gridʼ - the basic utilities we all think we need to survive.

Is this real, or is this hype? What has actually changed? The answer is simple. In terms of the basic threats we face, nothing has changed. In terms of risk, the picture is very different.

Letʼs start with a bit of deconstruction. What does ʻcyberʼ mean? The root of the word has become obscured. The term κυβερνήτης (cybernetic) is based on an ancient Greek word that suggests someone is ʻexpert in directionʼ - a steersman or pilot. It can also mean ʻrudderʼ It suggests remote control. It did not mean security. It does now.

Now I know that words evolve constantly. You canʼt decide that once defined, a word stays the same in meaning ad infinitum. The word ʻjargonʼ used to mean the “chattering of birds” (from the Old French gargun). It doesnʼt mean that now, even though the ancient definition can be applied to many of the self-aggrandizing security talking heads I sometimes have to deal with. Perhaps this is why my initial deep annoyance with the term ʻcyberʼ is beginning to mellow. It may be a total aberration of the original term, but it has generated something - that being a growing awareness of the risks we all face. It may not be down to the word itself, but its increased use coincides with a real change in the way information risks are perceived.

Western societyʼs reliance on the Internet and dependency on connected systems to manage power, water, traffic, financial services, mineral prospecting, food transport logistics, medical procedures, emergency response services etc etc - make us very vulnerable. Very vulnerable indeed. This is the stuff that grabs attention. Not ʻphishingʼ attacks on individuals to gain banking system logon details. Such things are, on a global scale, an irritation. Nor the defacing of websites. Such defacements normally reflect highly emotional social issues (gay marriage, women clergy, animal rights, privacy matters and so forth) rather than life-threatening circumstances. The real deal is ʻlife and limbʼ, and we have now reached a situation wherein truly critical systems are exposed to remote attack.

This situation is exacerbated by the manner in which these systems are closely connected. Disruption to electric power supplies will disrupt most other systems. Compromising the water supply affects everyone - deeply. Transport, logistics and food supply are closely interlinked. In many western countries, a light dusting of snow can cause basic systems, such as the railway network, to grind to a halt. Itʼs not difficult to extrapolate this and understand how a targeted attack on utilities could cause significant collateral damage.There are a number of subplots to this. We should, for all sorts of reasons, look to use local resources rather than having them brought in from distance. Shortened supply chains  tend to be more resilient, and easier to repair that lengthy ones. They also generate less  carbon. But we donʼt always look to local solutions, and the lack of true operational resilience in western societies will cause real problems if they are not addressed.

Which brings me back to ʻcyberʼ. My deep annoyance at the term is not an isolated instance. Iʼve spoken to lots of other people (from all walks of life) who feel the same. Jargon and hyped terminology is often, for good reason, treated with skepticism and disdain. This is happening to the word ʻcyberʼ and will continue to happen unless we intercede. It is essential that we ensure people understand the true scale of the risks we face. People donʼt look under the bonnet (or under the hood if youʼre American) except when things go wrong. A glimpse under the bonnet of our interconnected society suggests to me that we need to make sure it is capable of withstanding calculated, targeted, malevolent attacks. A scattergun approach when discussing such risks will reduce the overall effectiveness of our communications. We need to keep the snake-oil merchants at bay whilst passing on our message.

So - what is our message? What is ʻcyberʼ? Is it ʻIT Securityʼ? Does ʻcyberʼ enhance or replace ʻInformation Securityʼ? Is there an alternative? Suggestions on this are very welcome! We are at a juncture that will, if we manage things well, help set up resilient systems across society. The longer we allow things to drift, and let the charlatans muddy the waters, the less capable our society will be to manage systemic failures when they happen.