6 minute read
A camel is a horse designed by committee: achieving genuine collaboration in cybersecurity
TRAVIS QUINN
By Travis Quinn, State Director at Trustwave
To many organisations, cybersecurity can appear to be a hindrance. This is unfortunate but understandable, because cybersecurity often does not contribute to their core business or does so only tangentially. Take a software developer as an example. The core business of the developer is to create high quality software that is fit for purpose and sell it to customers. Adding security features to the software or security oversight to the development process does not necessarily add to the value of the software for the customer.
This is a bitter pill to swallow but is true across many domains in technology. In addition to not contributing to its core business, the value proposition of cybersecurity to an organisation is often vague. To some, cybersecurity is viewed as an abstract type of insurance: a sunk cost to account for when things do not go to plan. While attitudes towards cybersecurity are maturing, outdated perceptions are still held at all levels of industry, government and academia.
While it is convenient to blame the individuals holding those views, they are not at fault. In part, the blame rests with the cybersecurity professionals who have failed to convince them. As a security professional you have the responsibility to communicate and, ideally, demonstrate the value of doing security well. You also have the responsibility to highlight the risks of doing security poorly. The latter is usually much easier, but both are important.
Within an organisation both these responsibilities are best fulfilled through genuine collaboration and tending to the often adversarial relationship that exists between security and other parts of your
organisation. As someone external to an organisation (eg, a consultant), this is harder, but being candid with your clients is an excellent place to start.
This article describes how we can best bring teams together and get our stakeholders to invest in security as both a process and an outcome. Through this type of genuine collaboration, we can change perceptions about security and be viewed as enablers, not blockers.
The longest and bitterest rivalry in our industry exists between cybersecurity and IT. The objectives of IT are generally well understood; keep the lights on, provide users with access to resources and services in a timely manner and put out the fires as they occur. These objectives seem straightforward until you add security to the mix. Security people invariably introduce requirements and constraints, making the job of IT harder. Simple questions coming from security—like “Why are you using this version of this software?” or “Why are you not using this crypto protocol?”— can result in a significant amount of work and heartache for IT. From their perspective, some of these questions may appear spurious or may generate work that provides little benefit from a disproportionately large investment of time and effort.
A common example of both these issues is poorly chosen treatments in a security risk assessment. What, to a security assessor, is one line in a table cell may represent weeks of work for IT. Here is another bitter pill to swallow: the IT team is justified in being sceptical. After all, who knows your organisation’s IT and infrastructure better than your IT team? That is a rhetorical question, no one does. With that in mind, integration and collaboration are critical. The good news: the industry appears to agree, at least in principle. With the popularity of cross-functional approaches like DevOps and DevSecOps we are seeing the adoption of practices that can normalise integration across development, IT and security, as well as introduce efficiencies. This is a good thing. However, for many organisations these approaches are not feasible, which is ok because there are many pathways to good cross-functional cooperation. Regardless of how you run your business or your projects, there are a few things you can do to improve collaboration.
Firstly, invite early and invite often. Cast a wide net when inviting relevant stakeholders to your meetings and workshops. If an invitee does not think they will have something to contribute or they are worried they will not get something out of it, then they will let you know one way or another.
Secondly, get your stakeholders invested in the outcomes. Give them opportunities to have inputs and to challenge your assumptions, assessments and decisions. Where possible, you can also consider their objectives in your strategies and planning. Thirdly, do not do security in a vacuum. Cybersecurity is often described as a team sport, and that is a reductive but apt way to describe it. When this idiom is used in our industry often it is to describe enabling others in the security team to succeed. Of course, this is a good thing and something we should all aspire to, but the team is not security alone: if your goal is to win, it cannot be.
Doing security in a vacuum can be avoided with simple initiatives. For example, know the architecture and networking experts in your organisation. Of necessity, these individuals have often developed a great understanding of cybersecurity and can help you fill in the gaps in your own knowledge. Lastly, do not fall victim to design by committee or groupthink. This concept stands in contrast to the rest and is worthy of a separate discussion.
Calling back to the title, the expression a camel is a horse designed by committee dates from the mid 20th century. It describes a situation where the perspectives of all members of a group are incorporated in an outcome and, lacking a unifying vision, the outcome becomes compromised. In a security and engineering context this may manifest as an impossible set of requirements from too many stakeholders with weak scoping and prioritisation skills.
An infamous example of this is the F-35 Joint Strike Fighter (JSF), which ran over budget, over schedule and, arguably, underdelivered on its specification because the design team was trying to balance the requirements of all the arms of the United States military. In a highly critical January 2021 review of the JSF program, then acting US Defense Secretary Christopher Miller described the JSF as a “piece of [expletive]”. In psychology there is a closely related concept to design by committee: groupthink. Groupthink describes how the desire for harmony in a group negatively impacts the collective reasoning and decision-making ability of its members.
Groupthink is a common problem in cybersecurity and is a danger to genuine collaborative efforts. It is a particularly easy trap to fall into early in your career or in an environment where you are less confident in speaking up. Combatting groupthink is largely about recognising that collaboration is not people pleasing and avoiding ‘rocking the boat’.
Genuine collaboration comes from working with your teams and subject matter experts to achieve the best outcomes while factoring in requirements and constraints. At times this could mean disagreeing and having difficult conversations, but that is part and parcel of any collaborative effort.
In closing, collaboration in security is difficult and complex but ultimately rewarding. Doing it well is one of the best ways to dispel the unhelpful perceptions of cybersecurity that still linger, and to deconstruct adversarial relationships in your workplace.
Things will not always go to plan, but with honest communication and engagement you can achieve the best possible outcome given the circumstances and carry forward the lessons learned to support your career.
www.linkedin.com/in/travis-quinn1
Connecting - Supporting - Inspiring
A S A F O R M A L M E M B E R , Y O U R C O N T R I B U T I O N E N A B L E S U S T O B U I L D A N D S U S T A I N A S T R O N G E R F U T U R E F O R O U R I N D U S T R Y
