Monday, July 8, 2013

Dimension 7: Effective External Engagement

This is the seventh post defining each of the Ten Dimensions of Cyber Security Performance.  Thus far, I've defined the six dimensions that comprise operational or day-to-day cyber security.  Dimensions 7 through 10 are qualitatively different in that they guide, structure, and set requirements and constraints for operational cyber security but do not directly control it or influence it.  These dimensions are might be more controversial as essential performance dimensions, but I hope to convince you that they are both necessary and also not subsumed in the first six dimensions.

Performance in the dimension of Effective External Engagement means identifying, understanding, negotiating, implementing, monitoring, and improving relationships with organizations and entities external to the focal organization.  "External relationships" includes technical or informational relationships with service providers such as Internet Service Provider (ISP), DNS service providers, registrars, certificate authorities, federated identity service providers, etc.  I can also include the entire supply chain for an organization regarding information technology and communications.  Obviously this include suppliers of information security products and services.

But it would be a mistake to view this dimension as solely a matter of managing technological relationships or supply chain management.  If it was, then it might be subsumed under the other dimensions.  The rest of this post explains what's new.

The key to understanding performance in this dimension is to view organizations as being coupled in terms of risk, and not just suppliers/consumers of products, services, or information.  "Coupled" means the existence of one-way or two-way influences between organizations, and these influences are in the form of risk drivers.   Simply, if Firm A takes action (or abstains from taking action) that significantly increases or decreases enterprise risk for Firm B, then Firm A drives risk for Firm B, even if they do not have a supplier/customer relationship.  Therefore, the starting place for performance in External Engagement is to understand how external organizations drive your risk (at an enterprise level) and how your organization drives risk in other organizations (and individual people).

Supply Chain Relationships

Supply chain relationships that involve risk drivers are the most obvious external engagements. A classic example of this is the patch release practices of packaged software vendors, especially platform software.  Several years ago the financial services industry performed a study of information security performance and found that the patching practices of vendors (e.g. Microsoft, Oracle) had a major driving effect on the costs and performances of financial services firms.  This led to extensive dialog between the two classes of firms and, eventually, to substantial changes in the patching practices.  But it also has led many firms to adopt cloud-based software ("Software as a Service") because the vendor manages patching and updating transparent to the user firms.

Government and law enforcement relationships (plus civil liberties)

Another class of external risk driver relationships are those with governments, law enforcement, or other non-firm institutions such as information sharing organizations and standards bodies.  Governments and law enforcement have unique rights and capabilities to take direct action against Actors who are malicious threat agents.  This is indicated on the block diagram by the curved, 3D shaded arrow pointing back to Actors.  In this framework, any organization that engages in "counter-attack" or "offensive cyber actions" are acting as vigilantes, and thus usurping the role of government or law enforcement.

As socially sanctioned institutions of power and coercion, governments and law enforcement might  overreach by taking action that jeopardizes the civil liberties of Actors (people) who are not malicious threat agents.  This is where the civil liberties aspect of cyber security becomes relevant for many firms, especially large service and information providers, but also potentially any bank, any healthcare organization, any ISP, or any consulting firm because they have information that, if misused, to lead to violations of civil liberties by overreaching governments or law enforcement.  Therefore, effective engagement means that you need to not only engage with the relevant government and law enforcement organizations but also understand and monitor what they are doing and how it might affect civil liberties.  Without this consideration, firms could find themselves becoming unwitting accomplices to systematic violations of civil rights.

Trusted Third Party relationships, and institutions for collaboration

Another class of external relationships are with "trusted third parties" (TTPs) of various types.  These could include certificate authorities, professional certification organizations, audit firms, risk assessment consultants, insurance firms (including risk pooling and other non-traditional forms of insurance), and so on.

Finally, there are also important external organizations and institutions that center on collaboration, cooperation, and mutual aid.  In the domain of cyber security, many of these are just starting, are in the early stages of development, or are among a swarm of competing institutions.  Thus, they face challenges of becoming sustaining and well-functioning institutions.  For your organization, effective engagement may mean choosing which institutions to support, participate in, or formally join.  It may also mean that you need to invest scarce resources -- people or money -- to help the institution take off and succeed.  Finally, it may also involve taking chances in the form of pilots, experiments, and "skunk works" where innovative ideas are tried on a small scale to revise their design.

An executive and board-level responsibility, usually inadequately performed

Deciding how to manage these external engagements is an executive and board-level responsibility, and cannot be delegated to people and teams responsible for operational cyber security. But with perhaps a few exceptions, most organizations do an inadequate job in the dimension of Effective External Engagement.  The mutual nature of risk drivers are often poorly understood.  External organizations is often not adequately identified and also not well understand.  But most of all, these engagements do not get sufficient resources nor are they designed adequately.  Instead, they often happen accidentally and sometimes in the worst circumstances -- i.e. in the midst of a crisis.   This poor engagement creates a negative cycle which decreases the effectiveness of the external organizations and institutions, and this in turn decreases the attractiveness to existing or potential participants.

(Next dimension: 8. Effective Agility & Learning)

No comments:

Post a Comment