CTOvision.com

Context for the CTO, CIO, CISO and Data Scientist

Home » Archives for John Scott

John Scott

Your Enterprise has too many Cyber-ish People

Cyber has been called the ultimate team sport: CIOs, CTOs, SysAdmins, Software Developers, CISOs, threat teams, red teams, testing groups, etc. etc, but really should it be? It seems more like a jobs program that moves headcount from one part of the enterprise to the expensive nerdy-side.

Sitting through a number of presentations at various cyber conferences recently I’m struck that many enterprises cyber security planning comes down to having ‘the best people’ doing really pretty boring jobs. Jobs like keeping software updated, tracking down holes in the firewalls, waiting for alarms to go off, being fed alerts about out-of-date software: in short lots of controlled firefighting. But it all seems like enterprises are just working harder (and expensively) by throwing more people at the problem – instead of finding new ways of doing their business securely.

Programmable meat is expensive, fallible and has to sleep. We need to use technology and change processes to manage the problems that technology can create. Streaming lining software development and deployment, DevOps can help, but needs to go further by automating as much as possible inside the enterprise. As well as perhaps outsourcing large parts of the enterprise that don’t add value or aren’t core to the business.

So: constrain funding! Figure out how to secure your enterprise with half the staff, because as enterprise software use accelerates (doubles over the next 24 months?) thats the future: double the demand with half the supply (and maybe the North Koreans living inside your network).

Related Posts:

Tech Firms Seeking To Serve Federal Missions: Here is how to follow the money

Cloud Computing

Breaking News: Enterprise IT Now Sexy

For Want of a Patch (& a Supply Chain)

For Want of a Patch

For want of a patch the component was lost.

For want of a component the stack was lost.

For want of a stack the system was lost.

For want of a system the message was lost.

For want of a message the cyberbattle was lost.

For want of a battle the enterprise was lost.

And all for the want of a software patch.

As the old proverb reminds us, logistics is important: most battles are over before they’ve begun due to having or not having a solid logistics tail. During WW2 the Allies found out the hard way with the invasions of Africa: ships loaded incorrectly led to delays in material onto the beaches and towns, things like ammunition, fuel and medical supplies are needed before typewriters and tents. As subsequent amphibious invasions progressed (North Africa, Sicily, Italy) the military learned how to coordinate better the planning and ultimate loading and unloading of material and manpower to have the largest effect in the fight. These processes ultimately culminated with the successful massive invasion of Normandy to end the 3rd Riech’s hold on Europe. 

The key lesson was to view logistics in war as a continuous process that feeds a fast and continuously maneuvering Army. 

Cyberwar is no different and more closely follows the proverb: one unpatched line of code can leave an entire enterprise open to assault. Why? Accelerated use of software, more software dependencies on other pieces of software AND all that software is constantly in need of being updated. Current organizational processes to keep software updated can’t keep up with the change being generated by the outside world. 

Example: Amazon software deployments for May 2014 for production hosts and environments: 11.6 seconds is the mean time for deployments and 1,079 max deployment in one hour: how many military systems can claim that many deployed changes in a month? (Ref: Gene Kim, slide 23 http://www.slideshare.net/realgenekim/why-everyone-needs-devops-now) I doubt any, but this is what the military (and modern enterprises like Sony) must prepare for: never ending change and updating on near random cycles.

More to the point: continual and unscheduled software patches are the landscape in this new maneuver environment. And since they can’t be planned for, organizations need to learn to evolve for change and deploy software and new capabilities continually. 

Software supply chain planning is no longer something that can be starved of funds. Malware, continuous monitoring, and network scanners can tell you which barn doors are open and that the horses are leaving, but leave enterprises with a massive punch list of fix it items. Funding, time and effort need to spent on the supply chain. It is the first true line of cyber-defense. 

Parting shot, question for CIOs/CTOs: Can you patch all of your systems in the next hour, using existing processes and not bypassing things? For most organizations the answer is no, OpenSSL patches (seriously!) get emailed around from dubious sources is akin to Mom mailing ammo to her son in a care box in Afghanistan.

For want of a message the cyberbattle was lost.

For want of a battle the enterprise was lost.

And all for the want of a software patch.

Scale and Speed with Cyber Security

“Sometimes quantity has a quality all its own” attributed to Stalin & Clausewitz

Operational scale doesn’t get much love or discussion from folks since its boring to talk about: truly large scale things have been simplified and optimized to do a few very specific things extremely well. Things like packet routing, cell phone switching, stock trading and electricity delivery, these operate in mindboggling large ways with high reliability. But all of these things had time to mature and explore the design space to find optimal solutions. Dealing with the scale that the internet can deliver, has unfortunately left us with a series of other non-optimal cyber security approaches and solutions.

In cybersecurity we’re have a hard time dealing with scale. For a number of reasons (outside of the tech not being able to scale) proposed solutions can’t scale as a business model (e.g., cost per user, app or device becomes exorbitant), scale would require re-architecting resulting in tech lock-in with an expensive toll to leave and finally bureaucracy that can’t change long established approaches to solving problems. Out of all the problems to deal with subverting bureaucracy to enable security scaling is the hardest.

Bureaucracies exist to ensure continuity of purpose within a construct of organizational processes and since they are filled with and designed by people, aren’t able to radically evolve to meet new threats or fill new operating environments. When faced with new problems bureaucracies rarely remove processes, but instead add additional levels of requirements, yet-another-review (YAR) or just add more people. Its a tough problem and one where our usual tried and true design methods tend to breakdown.

Scaling in cyberspace means essentially learning to manipulate the speed of light, adding more programmable meat does not address the problem.

So what can be done? → Design for Speed, Automate, Know your Supply Chain

The number one organizing principle has to be speed and its speed operating at every level within an enterprise: from how software gets built to how it gets deployed to how it evolves to how fast HR can fire and hire people, the speed of light infects everything, it has to be optimized for. Secondly, automation: every process that deals with software must be ruthlessly automated (i.e., FISMA) – if it can’t be automated, don’t require it (and it probably doesn’t give you real security anyway) and third, supply chain: intentionally understanding (and automating) the software supply chain. All three when synchronized create strong feedback loops and learning curves for the enterprise leading to a strengthened cyber security posture.

IT and software are never complete, but instead need to be viewed as experiments in continuous scaling, morphing and evolving to create new corporate opportunities while meeting new security challenges and threats.

Related Reading:

Dealing With Insider Threats in the Age of COVID

New Cloudera Alliances Leader Ready To Scale Cloud And Channel Partnerships

Accrete scales human expertise and automate analytical tasks to make accurate predictions about the real world

More Content

Cyber War

Optimizing Corporate Intelligence with OODA Loop

This post is part of our Intelligent Enterprise series, which providing insights aimed at corporate strategists seeking competitive advantage through better and more accurate decision-making. The first post provided foundational insights into A Practitioner’s View of Corporate Intelligence. This one dives into actionable recommendation on ways to optimize a corporate intelligence effort. It is based on a career serving large scale analytical efforts in the US Intelligence Community and in applying principles of intelligence in corporate America.

SciFi

Science Fiction Gadgets You Can Get Today

Technology is advancing pretty fast, at times influenced by the exciting world of Science Fiction. This video captures 10 of the tech developments first seen in SciFi that are available now. A key point of this, if you want to know what is in our future, watch more SciFi!  

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]