Thursday, November 21, 2024

The Cyber Industry Must Acknowledge That Risk Cannot Be Completely Eliminated

In the field of cybersecurity, there’s an expectation that we must uphold a higher standard than others. We aim to become the benchmark for excellence, a level of perfection that often feels unattainable. So, what occurs when a cybersecurity firm makes a seemingly minor error?

CrowdStrike serves as a pertinent example. I recall reviewing their technical report, which revealed that a single additional field in a template led to a significant crash. However, I suspect that this was not merely a straightforward test failure; it likely resulted from a chain of events culminating in a widespread issue. This scenario reflects the “Swiss cheese model,” where a series of faults aligns perfectly, allowing a failure to occur.

We must come to terms with the fact that setbacks can happen, and it’s crucial to recognize that total risk elimination in technology is impossible. The sooner we adjust our perceptions of risk, the better equipped we’ll be to manage similar incidents in the future and to understand the inherent risks, no matter how unlikely they may seem.

### Recognize the Systemic Nature of Risks

The CrowdStrike incident raises an essential question: have we become overly dependent on technology companies that are intertwined within a vast system?

We often turn to centralized cloud and SaaS providers because their advantages typically outweigh the associated risks. However, when one of these major players encounters a problem, the effects can ripple through numerous organizations that depend on them. This creates a “too big to fail” scenario akin to the financial sector, where the collapse of a significant entity could trigger widespread repercussions.

People generally grasp personal risks well—for instance, we navigate busy streets with caution. Yet, we struggle to comprehend the larger systemic risks we face, often inadvertently outsourcing these risks to a select few organizations. Perhaps it’s time to diversify our technology resources instead of relying too heavily on a single source.

### Zero Risk Is Unattainable

Let’s be honest! Despite our best efforts, completely eliminating risk is an unrealistic goal.

We must adopt a pragmatic approach to risk management; otherwise, organizations could waste endless resources and energy on security measures that may prove impractical. If you keep writing code indefinitely, no product will ever see the light of day.

Instead of obsessing over achieving absolute zero risk, the focus should be on minimizing risk to a manageable level. Some degree of risk will always persist. During my time in the UK rail sector, we operated under the principle of “As Low as Reasonably Practicable,” an approach that continues to serve me well.

### Be Transparent About Residual Risks

It’s vital to be honest about the fact that some risks will remain even after mitigation strategies are applied. Setting realistic expectations with stakeholders and senior management is essential.

Avoid giving the impression that your organization has achieved a risk-free environment; being transparent about the vulnerabilities your organization faces is crucial. It’s unwise to suggest that everything is under control when it’s not, as this could lead to unpleasant surprises in the event of a failure. Transparency is not only crucial during an incident but is also critical in preventing such incidents from occurring.

In my view, CrowdStrike did a commendable job in addressing their incident. They were forthright and clear in their communication with customers and stakeholders, dedicating significant resources to public relations, relationship management, and technical support. Their ongoing updates and remediation advice demonstrate this commitment. However, no organization can promise complete risk elimination.

Finding the right equilibrium is key. Security measures and incident response strategies should be straightforward and easily implemented; otherwise, they risk being overlooked. At the same time, organizations must be transparent enough to build trust, effectively manage risks, and deploy practical, consistent solutions.