“Sometimes quantity has a quality all its own” attributed to Stalin & Clausewitz
Operational scale doesn’t get much love or discussion from folks since its boring to talk about: truly large scale things have been simplified and optimized to do a few very specific things extremely well. Things like packet routing, cell phone switching, stock trading and electricity delivery, these operate in mindboggling large ways with high reliability. But all of these things had time to mature and explore the design space to find optimal solutions. Dealing with the scale that the internet can deliver, has unfortunately left us with a series of other non-optimal cyber security approaches and solutions.
In cybersecurity we’re have a hard time dealing with scale. For a number of reasons (outside of the tech not being able to scale) proposed solutions can’t scale as a business model (e.g., cost per user, app or device becomes exorbitant), scale would require re-architecting resulting in tech lock-in with an expensive toll to leave and finally bureaucracy that can’t change long established approaches to solving problems. Out of all the problems to deal with subverting bureaucracy to enable security scaling is the hardest.
Bureaucracies exist to ensure continuity of purpose within a construct of organizational processes and since they are filled with and designed by people, aren’t able to radically evolve to meet new threats or fill new operating environments. When faced with new problems bureaucracies rarely remove processes, but instead add additional levels of requirements, yet-another-review (YAR) or just add more people. Its a tough problem and one where our usual tried and true design methods tend to breakdown.
Scaling in cyberspace means essentially learning to manipulate the speed of light, adding more programmable meat does not address the problem.
So what can be done? → Design for Speed, Automate, Know your Supply Chain
The number one organizing principle has to be speed and its speed operating at every level within an enterprise: from how software gets built to how it gets deployed to how it evolves to how fast HR can fire and hire people, the speed of light infects everything, it has to be optimized for. Secondly, automation: every process that deals with software must be ruthlessly automated (i.e., FISMA) – if it can’t be automated, don’t require it (and it probably doesn’t give you real security anyway) and third, supply chain: intentionally understanding (and automating) the software supply chain. All three when synchronized create strong feedback loops and learning curves for the enterprise leading to a strengthened cyber security posture.
IT and software are never complete, but instead need to be viewed as experiments in continuous scaling, morphing and evolving to create new corporate opportunities while meeting new security challenges and threats.