Jack Whitsitt, profile picture
Uploaded byJack Whitsitt
PPTX, PDF3,748 views

Yours Anecdotally: Developing a Cybersecurity Problem Space

The document discusses the inadequacies of current cybersecurity practices, emphasizing that a narrow focus on information security has led to stagnation and failure to address broader cybersecurity risks. It suggests that effective risk management requires a transformative approach that incorporates multiple disciplines beyond infosec, encourages open discourse, and challenges existing models and practices. Ultimately, it calls for a wider scope in cybersecurity strategies to enhance resilience and reduce vulnerabilities in the face of evolving threats.

Embed presentation

Downloaded 15 times
Jack Whitsitt, EnergySec Senior Strategist @sintixerr | sintixerr@gmail.com
Progress in economics consists almost entirely in a progressive improvement in the choice of models…. [It] is a science of thinking in terms of models joined to the art of choosing models which are relevant to the contemporary world… [and] it is essentially a moral science and not a natural science… That is to say, it employs introspection and judgments of value. – J. M. Keynes to Harrod , 4 July 1938 (Sorta)
 Artist  Hacker Compound  Open Source (Honeypots)  Managed Commercial Security  FBI SOC  Enterprise Security Architect  National Control Systems Incident Response  Gov: Public/Private Partnership as the Transportation SSA  Non-Profit Community Building  International Policy Discussions ….and Civilization Escape Artist
We’re Losing, We’re Repeating Ourselves with Increasing Specialization, We Have No Strategy We must learn to Fail, Iterate, and Evolve (better?) or Admit We’re Insane
We have been focusing on improving information security and risk management practices to reduce cybersecurity risk. This focus has improved information security practices, but without meaningfully or sustainable reducing cybersecurity risk This has come at the cost of the resources we will require to displace the dangerously entrenched behavior and misaligned markets created as an outcome of this focus. Our focus on information security solution spaces prevents us from making necessary transformative (as opposed to incremental) improvements because: Information Security might, presently, be largely tangential and non-causal with regard to long term cybersecurity success – Its practices and solution spaces do not control or speak to enough of the exposure environment to create sustained, strategic improvements in position We need to take a wider view. (Warning: The view may contradict itself and this will be a linear presentation of a non-linear topic)
 Island Internet  Isolated Security Events  Techies without funding or buy-in develop practices  Automated Worms Disrupt Business  Market need identified and met by selling practices  Connected Important Stuff  Merging Realities, Conflict and All  Entrenched Models and Practices failing to solve for New Reality and New Scope We started out specialized and then specialized further despite context and problem space expansion and we’ve failed to improve and update models or develop appropriate, specific objectives accounting for our environment* Now we’re missing important fundamentals in scope, metaphor, language, and strategies and are battling existing investment to fix (*or, at least, we’ve failed to create effective socialization mechanisms for them)
Help overcome the flawed strategies we’ve imposed on ourselves by artificially limiting the scope of cybersecurity to InfoSec Suggest areas of research and data gathering that are either lacking or should be made more accessible to the markets, industries, and individuals driving risk management change.
 Some Famous President Or General (I think):  “There is no seemingly intractable problem I’ve faced whose solution didn’t present itself with an increase of scope”-ish  Famous Penetration Testers:  The companies that eventually keep us from achieving our objectives are the ones that narrowed the scope of their objectives and funded them  Start wide, then focus:  Where are we?  What are we, really?  How do we get OUT of here?
 The world already has a lot of cybersecurity “solutions” and “products”  The average information security budget according to PricewaterhouseCoopers is a staggering $4.1 million  According to Gartner, the worldwide Information Security market is valued at more than $70 billion. And, yet…  The list to your right contains many, but not all, major Fortune 500 breaches since 2011  These are not companies that cannot afford cybersecurity  Most organizations are notified by external parties (“Cyber Healthcare Professionals” re yesterday’s post-lunch talk) 100’s of days after breach  Cybersecurity is a hard problem that clearly – by any public metric available - remains unsolved in any sustainable way 97% of networks have been breached (FireEye)
 Of Solutions  At the Wrong Level  Without being Able to Articulate the Problem  NISTCSF  Common Practices  List of things that aren’t sufficient  Cybersec EU, Poland, 2015  Talking Information Sharing at Highest International levels  Conducting, not winning conflict  Same solution spaces provided over and over again  Specificity intersecting with applicability and repeatability extraordinarily difficult  This has to stop
We do not have a consensus definition “Cybersecurity”  Neither the problem space nor the discipline  We can’t even decide if there is a <space> between Cyber and Security  Ask any 5 experts, get 5+ answers Speaking of experts…..
 System Administrators  Malware Analysts`  Incident Responders  Lawyers  CISOs  Procurement Officials  Chairmen of the Senate Whatever Committee  Heads of the NSA  Senior Sales Engineers for Security Companies  Hackers  Children • CEO/Executive Board Members • Criminals/Terrorists • Journalists • Developers • Activists • Evolutionary Ecology PhD’s • Diplomats • Control Systems Engineers • Regulators and Auditors • Emergency Managers • Citizens • Operations Staff • Firewall Engineers
Cybersecurity is a huge domain that spans entire cultures, industries, and nations while remaining highly individualized As a discipline, it is an amalgamation of existing as disparate as business management, computer science, political science, and even art. This means we have to always be cognizant of context.
http://www.tripwire.com/state-of-security/latest-security-news/vast-majority-maintaining-increasing-cyber-security-spending/
(Source: http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=24d3c229-4f2f-405d-b8db-a3a67f183883 via Lockheed Martin)
Source: https://isc.sans.edu/diaryimages/a207889185ca6b4ccbf43d94e017a663
Prosecute & Convict? Defend? Listen? Convince?
 Cybersecurity MUST be Lensed  Because it is a human problem  And Human Problems are Communication Problems  Lenses can provide the human-specific focus required for communication  Communication lenses are composed of:  Domain: Broad Problem Space Definition  Perspectives: Who is Involved?  Contexts: Which problem piece is in front of us?  Discipline Areas: What tools are available? *These are my definitions only
Cybersecurity: The application of several disciplines to enabling an environment in which specific non-ICT based objectives are sustainably achievable with the aid of Information Security, Control Systems Security, and Other Related Security Practices in the face of continuous risk resulting from the use of cyber systems. Secure system: One that does no more or less than we want it to for the amount of effort and resources we’re willing to invest in it.
Those definitions still don’t describe a problem to be solved, they describe solution sets and objectives.
This is a Domain we can ask specific questions of and turn into lenses…
If InfoSec is an error handler for the overall cybersecurity risk environment, then we’ve let the main system go at the expense of the error handler. For the Error Handler to be the source of stability, it would have to have all or most main system knowledge. So what does the problem space really look like OUTSIDE of InfoSec? Outside of the Error Handler? Managing the following extra-InfoSec domains is a precondition to or a part of effective information risk management
1. Global 2. Body Political 3. Organizational 4. Individual  Technical … This might be a business problem pertaining to complexity? (In Order. List Likely Not Complete. Threat Exclusion Intentional.)
 Offense/Defense  Individuals and Businesses are NOT defenders  Asking them to participate in global conflict is, in a word, silly  They do not, and will not, have competence or capacity over time  18,500 US Firms with over 500 employees!  Parasite Management  Maintain value Control despite competition for shared, not owned infrastructure  Sustained Resilience: Continuity of Operations, DR  Exposure Management vs Incident Management  Exposure/Environment Management OR ELSE  Information Security is non-causal in Exposure Management  Lack of Exposure Management is an eventual permanent loss  Incidents do not aggregate up to long term risk  The Primary Conflict Model is that of a Siege  Non-combatants not in control of surrounding environment being drained of resources forced to make daily risk decisions that are not pertinent to eventual win  This is true whether or not different threat groups *intend* to put us under siege  Strategic win is possible, not possible under other models  Accounts for resource drainage, supply chain problems, massive externalities problem, etc  Breaking the siege requires building *a* castle (cooperative strategic infrastructure) and*multiple* guilds (regimes)
 Confidence Building Measures & Stability Problems  Unknown Exposure: Game Theory vs Control Based Regulation  Too many actors  Tools too accessible  Norms of Behavior  Some norms support both conflict and stability  Difficulty developing norms in the middle of conflict  Information vs Kinetic Warfare  Intentional Abuse of Conflict Culture & Definitions  Targeting of formal/informal “civilian” information and regimes  Western governance has long term strategic vulnerabilities  Capacity Building  vs Conflict Execution (Retains almost Exclusive Focus)  vs Exposure Management (Done only to aid Conflict)  Same as InfoSec, but larger Also Helps Drive (& Provide Cover for) Localized Civilian Parasite/Siege Conflict Context
 Overall rising hostility under the radar  Sustained non-ICT Regime Instability  Costs in money, trust, unconstrained resilience requirements  Unintended Specific Fallout from General Instability  Systems not functioning as desired in emergencies  High Intensity Conflict resulting from unrelated events
 Business Borders: Disappearing?  Is it more useful to constrain cybersecurity around business borders or supply (and value) chains?  If the latter, is that even possible?  This is only one of several boundary problems)  Un-constrainable? Mesh vs Chains  Since these aren’t really chains, does this become a statistical problem?  Supply chain as a mechanism for risk reduction?
 Geography & Power Delegation  The internet is a form of “geography”  Power Plants are part of the internet, therefore they are geography  They’re also targets  The government is *not* the primary arbiter of power within the borders of this virtual geography  Ooops. This is new.  Geography & Proximity  Everyone is a Neighbor  Have you ever been stuffed shoulder to shoulder in a hot train car with drunk friends, enemies, and strangers?  Ooops. This is new, or at least worse.
 Common Problem Space Consensus  Development  Socialization  Multi-stakeholder Model/Regime Management  Targeting & Engagement  Aligned, Unaligned, Oppositional Stakeholders  Development  Goal Targeting and Rationalization  Language normalization  Practice Development  As opposed to Stabilization  Tragedy of the Commons  Without Ownership of Practices, Infrastructure, or Goals  RealPolitik
 Power  2nd Amendment and the Right to Bear Digital Arms  Responsibilities  Voting Knowledgeably  Participation in Multi-Stakeholder Regimes  Education  Access  Rights of Individual Access vs Rights of Society  Business & Government Customers  Voting, Markets, and Courts intended as arbiters, but…  Social  Perception & Expectation Management  Media!  Health & Safety
 Entrenched Industry Must be Derailed  Costing us time, money, cultural capital  Hijacking regimes  Abstract, tenuous connection to risk  Hope, hope, hope, hope  (Vendor vs Hacker)  Academia not competing  Tools  Behavior Change  Applicability
“The difference between how it’s supposed to work and how it really works is where the vulnerabilities happen,” - Chris Wysopal/Weld Pond (L0pht)  Complexity  Exposure rising directly and infinitely with complexity  Competency  Technical competency required by all, who cannot maintain  Security Express-ability  Lower layers are approximating upper layer expressions
 Exposure Management  Decision Making Capacity Building  Action Capacity (Authority/Responsibility)  Full System (Human) Threat Modeling  Requires Role/Lever reasoning  Fuzzy (but it’s done all the time anyway) Anyone can make a good plan, and one that works, but can it be kept tight enough to achieve goals in the face of constant, organized, trained, funded, motivated, threats?
 We Need Generals  Now Guys with Guns Espousing Tactical Requirements in Place of Strategies to Win  Win = Desired level of risk for desired investment over tim  Formal Roles limit Routing of Knowledge/Capability into available levers  If you’re not selling something, you’re not participating
 Sustained Socialization  Meme-ification - Passive Education  Active Education  Clarity across Discipline Borders  Common Language  Knowledge  Language & terminology  Organic  Hijacked  Perspective & Context Awareness  Trouble Seeing the Big Picture for the Small  Validation & Action
 Psychology  Stakeholders Receptiveness  Distance between action and risk  Conceptual Processing  Ability to Process sufficient incoming knowledge tangential to core life  Analysts vs Engineers  Average is Average  Cannot require or assume exceptionalism
 Wok  Wok Wok  Wok?  W.O.K.  Wok Wok wok wok This is, obviously, a wildly incomplete framework. But it is a start?
 Exposure is primarily created outside of InfoSec (although not “only”)  Informing InfoSec Practices with Business Goals instead of vice versa removes levers  InfoSec practices should INFORM and CONTEXTUALIZE business risk practices INTO cyber risk CONTROLS  Cyber isn’t a risk TO you in most cases;  The risk from cyber to society, industry, and gov CREATES risks to you (Polish Airlines)  Risk management’s job is not limited to a process or approach or framework.  It is, instead, behavioral and decision making capacity building  Awareness is not behavior change  Psych, Marketing, Comms  Target: “Risk Based” often conflated with “Have a Priority” in common practice  Difficult to quantify security management non-security benefits because security management is typically focused on improving security management – even when contextualized by business.  We can perhaps, instead, quantify benefits of non-security activities that benefit security by leveraging dual purpose activities
 Expand  Clarify  Communicate  Maintain  Use  Market  Criticize  Trash it and Start Over if Needed  We still need one  Let’s just stop repeating ourselves
 Goal Development:  Siege Breaking and Parasitic Environment Management (next slide)  Roles to Risk Modeling to…  Create Exposure Management Strategies  Aid Targeted Education for Risk Decisions in Role Context  Mitigate Tech/Process Controls  A Non-Sec Initiative  Integrate Disparate Disciplines into a Cybersecurity Discipline  Business Risk Managers/CFO’s/Psychs/OrgProcess/Marketers/Sociologists against InfoSec…  Socialize QA as applied to Cyber Exposure Creation  This should exist, but perhaps unapplied  Citizens as a DHS Critical Infrastructure Sector  Contextualize abstract risks in existing process  Identify Psychological Motivation Profiles for Targeted Behavior Change  Business Levers that affect security with the most non-security ROI.
Develop cross-environment joint actor strategies to more effectively and sustainably compete for the ability to provide value smack in the middle of a constant conflict that cannot be won against players we may or may not be able to see, know, or influence and whose values and goals may be in support of yours, oppositional to yours, or tangential to yours while, over time ,gradually de- incentivizing the use of cyberspace as a conflict domain.
 Think Beyond InfoSec  Broaden Scope Out As Far As You Can Go  Re-Consider your Metaphors and Models from the Ground Up  If Only as a Thought Exercise  Ask how to manage risk without InfoSec  Then build an error handler  Wonder at why we are where we are  And treat common practices as solving an insufficiently complete list of problems
Jack Whitsitt, EnergySec Senior Strategist @sintixerr | sintixerr@gmail.com

More Related Content

PPTX
Effective Cybersecurity Communication Skills
byJack Whitsitt
 
PPTX
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
byJack Whitsitt
 
PPTX
Introduction to National Critical Infrastructure Cyber Security: Background a...
byJack Whitsitt
 
PDF
Technologies and Policies for a Defensible Cyberspace
bymark-smith
 
PPTX
Clinton- Cyber IRT Balto 10_2012
byDon Grauel
 
PPTX
Sj terp emerging tech radar
bySaraJayneTerp
 
PPTX
Risk, SOCs, and mitigations: cognitive security is coming of age
bySara-Jayne Terp
 
DOCX
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
byJessica Graf
 
Effective Cybersecurity Communication Skills
byJack Whitsitt
 
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
byJack Whitsitt
 
Introduction to National Critical Infrastructure Cyber Security: Background a...
byJack Whitsitt
 
Technologies and Policies for a Defensible Cyberspace
bymark-smith
 
Clinton- Cyber IRT Balto 10_2012
byDon Grauel
 
Sj terp emerging tech radar
bySaraJayneTerp
 
Risk, SOCs, and mitigations: cognitive security is coming of age
bySara-Jayne Terp
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
byJessica Graf
 

What's hot

PDF
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
byCasey Ellis
 
PPTX
DBryant-Cybersecurity Challenge
bymsdee3362
 
PPTX
2021 12 nyu-the_business_of_disinformation
bySaraJayneTerp
 
PPTX
2021-05-SJTerp-AMITT_disinfoSoc-umaryland
bySara-Jayne Terp
 
PPTX
Cognitive security: all the other things
bySara-Jayne Terp
 
PPTX
Distributed defense against disinformation: disinformation risk management an...
bySara-Jayne Terp
 
PPTX
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
bySara-Jayne Terp
 
PPTX
disinformation risk management: leveraging cyber security best practices to s...
bySara-Jayne Terp
 
PPTX
The Business(es) of Disinformation
bySara-Jayne Terp
 
PDF
Opportunities and Challenges in Crisis Informatics
byLea Shanley
 
PDF
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
byStephanie McVitty
 
PPT
Improving cyber-security through acquisition
byChristopher Dorobek
 
PDF
"Evolving cybersecurity strategies" - Seizing the Opportunity
byDean Iacovelli
 
PDF
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHS
byGovernment Technology and Services Coalition
 
DOC
Chuck Brooks Updated Profile: on Homeland Security, Cybersecurity, Emerging T...
byChuck Brooks
 
PPTX
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
byGovernment Technology and Services Coalition
 
PPT
Professor Martin Gill, Director, Perpetuity Research
byCSSaunders
 
DOCX
Chuck Brooks Profile: on Homeland Security, Cybersecurity, Emerging Technolog...
byChuck Brooks
 
PDF
The Black Report - Hackers
byAskBio (former)
 
PPTX
A Guide to Disaster Preparedness for Businesses
byAdvanced Imaging Solutions & Pinnacle
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
byCasey Ellis
 
DBryant-Cybersecurity Challenge
bymsdee3362
 
2021 12 nyu-the_business_of_disinformation
bySaraJayneTerp
 
2021-05-SJTerp-AMITT_disinfoSoc-umaryland
bySara-Jayne Terp
 
Cognitive security: all the other things
bySara-Jayne Terp
 
Distributed defense against disinformation: disinformation risk management an...
bySara-Jayne Terp
 
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
bySara-Jayne Terp
 
disinformation risk management: leveraging cyber security best practices to s...
bySara-Jayne Terp
 
The Business(es) of Disinformation
bySara-Jayne Terp
 
Opportunities and Challenges in Crisis Informatics
byLea Shanley
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
byStephanie McVitty
 
Improving cyber-security through acquisition
byChristopher Dorobek
 
"Evolving cybersecurity strategies" - Seizing the Opportunity
byDean Iacovelli
 
Insight Session with Dr. Daniel Gerstein, Deputy Under Secretary, S&T, DHS
byGovernment Technology and Services Coalition
 
Chuck Brooks Updated Profile: on Homeland Security, Cybersecurity, Emerging T...
byChuck Brooks
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
byGovernment Technology and Services Coalition
 
Professor Martin Gill, Director, Perpetuity Research
byCSSaunders
 
Chuck Brooks Profile: on Homeland Security, Cybersecurity, Emerging Technolog...
byChuck Brooks
 
The Black Report - Hackers
byAskBio (former)
 
A Guide to Disaster Preparedness for Businesses
byAdvanced Imaging Solutions & Pinnacle
 

Similar to Yours Anecdotally: Developing a Cybersecurity Problem Space

PPTX
Jack Whitsitt - Yours, Anecdotally
byEnergySec
 
PPTX
Selling security to the C-level
byDonald Tabone
 
PDF
You Give Us The Fire We'll Give'em Hell!
bywmetcalf
 
PPSX
Cyber Attacks aren't going away - including Cyber Security in your risk strategy
byJames Mulhern
 
PDF
2017 InfraGard Atlanta Conference - Matthew Rosenquist
byMatthew Rosenquist
 
PPTX
Understanding the security_organization
byDan Morrill
 
PDF
Pivotal Role of HR in Cybersecurity
byMatthew Rosenquist
 
PDF
CSE 2016 Future of Cyber Security by Matthew Rosenquist
byMatthew Rosenquist
 
PDF
2017 K12 Educators Security Briefing - Matthew Rosenquist
byMatthew Rosenquist
 
PPT
December ISSA Meeting Executive Security Presentation
bywhmillerjr
 
PPTX
WCIT 2014 Som Mittal - Managing risks in an interdependent economy risks rela...
byWCIT 2014
 
PDF
Managing cyber security
byUniversity of Hertfordshire
 
PPTX
NZISF Talk: Six essential security services
byHinne Hettema
 
PDF
Dinis Cruz IBWAS'10 Conference Keynote
bySandraPaiva
 
PDF
Strategic Leadership for Managing Evolving Cybersecurity Risks
byMatthew Rosenquist
 
PDF
20101012 isa larry_clinton
byCIONET
 
PPTX
CRI "Lessons From The Front Lines" March 26th Dublin
byOCTF Industry Engagement
 
PDF
Dealing with Information Security, Risk Management & Cyber Resilience
byDonald Tabone
 
PPTX
Showreel ICSA Technology Conference
byInstitute of Chartered Secretaries and Administrators
 
PPT
Risk Assessment And Management
byvikasraina
 
Jack Whitsitt - Yours, Anecdotally
byEnergySec
 
Selling security to the C-level
byDonald Tabone
 
You Give Us The Fire We'll Give'em Hell!
bywmetcalf
 
Cyber Attacks aren't going away - including Cyber Security in your risk strategy
byJames Mulhern
 
2017 InfraGard Atlanta Conference - Matthew Rosenquist
byMatthew Rosenquist
 
Understanding the security_organization
byDan Morrill
 
Pivotal Role of HR in Cybersecurity
byMatthew Rosenquist
 
CSE 2016 Future of Cyber Security by Matthew Rosenquist
byMatthew Rosenquist
 
2017 K12 Educators Security Briefing - Matthew Rosenquist
byMatthew Rosenquist
 
December ISSA Meeting Executive Security Presentation
bywhmillerjr
 
WCIT 2014 Som Mittal - Managing risks in an interdependent economy risks rela...
byWCIT 2014
 
Managing cyber security
byUniversity of Hertfordshire
 
NZISF Talk: Six essential security services
byHinne Hettema
 
Dinis Cruz IBWAS'10 Conference Keynote
bySandraPaiva
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
byMatthew Rosenquist
 
20101012 isa larry_clinton
byCIONET
 
CRI "Lessons From The Front Lines" March 26th Dublin
byOCTF Industry Engagement
 
Dealing with Information Security, Risk Management & Cyber Resilience
byDonald Tabone
 
Showreel ICSA Technology Conference
byInstitute of Chartered Secretaries and Administrators
 
Risk Assessment And Management
byvikasraina
 

Recently uploaded

PDF
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
PPTX
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
PDF
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
byWintari Yasmin
 
PPTX
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
PDF
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
PDF
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
PDF
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
PDF
[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...
bywintari3
 
PDF
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
PDF
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
PPTX
Penetration Testing: Enhancing Cyber Defenses Through Realistic Attack Simula...
bySentry Cyber
 
PDF
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
PDF
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
PPTX
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
PDF
Genesys Vision & CX Trends 2026 Unlocking Business Value in the Experience Ec...
byUni Systems S.M.S.A.
 
PPTX
Leon Brands - Methodical GPU Profiling (Graphics Programming Conference 2025)
byleonbrands1998
 
PDF
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
PDF
Welcome by Uni Systems: Shaping Experiences
byUni Systems S.M.S.A.
 
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
byWintari Yasmin
 
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...
bywintari3
 
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
Penetration Testing: Enhancing Cyber Defenses Through Realistic Attack Simula...
bySentry Cyber
 
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
Genesys Vision & CX Trends 2026 Unlocking Business Value in the Experience Ec...
byUni Systems S.M.S.A.
 
Leon Brands - Methodical GPU Profiling (Graphics Programming Conference 2025)
byleonbrands1998
 
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
Welcome by Uni Systems: Shaping Experiences
byUni Systems S.M.S.A.
 

Yours Anecdotally: Developing a Cybersecurity Problem Space

  • 1.
    Jack Whitsitt, EnergySecSenior Strategist @sintixerr | sintixerr@gmail.com
  • 2.
    Progress in economicsconsists almost entirely in a progressive improvement in the choice of models…. [It] is a science of thinking in terms of models joined to the art of choosing models which are relevant to the contemporary world… [and] it is essentially a moral science and not a natural science… That is to say, it employs introspection and judgments of value. – J. M. Keynes to Harrod , 4 July 1938 (Sorta)
  • 3.
     Artist  HackerCompound  Open Source (Honeypots)  Managed Commercial Security  FBI SOC  Enterprise Security Architect  National Control Systems Incident Response  Gov: Public/Private Partnership as the Transportation SSA  Non-Profit Community Building  International Policy Discussions ….and Civilization Escape Artist
  • 4.
    We’re Losing, We’reRepeating Ourselves with Increasing Specialization, We Have No Strategy We must learn to Fail, Iterate, and Evolve (better?) or Admit We’re Insane
  • 5.
    We have beenfocusing on improving information security and risk management practices to reduce cybersecurity risk. This focus has improved information security practices, but without meaningfully or sustainable reducing cybersecurity risk This has come at the cost of the resources we will require to displace the dangerously entrenched behavior and misaligned markets created as an outcome of this focus. Our focus on information security solution spaces prevents us from making necessary transformative (as opposed to incremental) improvements because: Information Security might, presently, be largely tangential and non-causal with regard to long term cybersecurity success – Its practices and solution spaces do not control or speak to enough of the exposure environment to create sustained, strategic improvements in position We need to take a wider view. (Warning: The view may contradict itself and this will be a linear presentation of a non-linear topic)
  • 7.
     Island Internet Isolated Security Events  Techies without funding or buy-in develop practices  Automated Worms Disrupt Business  Market need identified and met by selling practices  Connected Important Stuff  Merging Realities, Conflict and All  Entrenched Models and Practices failing to solve for New Reality and New Scope We started out specialized and then specialized further despite context and problem space expansion and we’ve failed to improve and update models or develop appropriate, specific objectives accounting for our environment* Now we’re missing important fundamentals in scope, metaphor, language, and strategies and are battling existing investment to fix (*or, at least, we’ve failed to create effective socialization mechanisms for them)
  • 9.
    Help overcome theflawed strategies we’ve imposed on ourselves by artificially limiting the scope of cybersecurity to InfoSec Suggest areas of research and data gathering that are either lacking or should be made more accessible to the markets, industries, and individuals driving risk management change.
  • 10.
     Some FamousPresident Or General (I think):  “There is no seemingly intractable problem I’ve faced whose solution didn’t present itself with an increase of scope”-ish  Famous Penetration Testers:  The companies that eventually keep us from achieving our objectives are the ones that narrowed the scope of their objectives and funded them  Start wide, then focus:  Where are we?  What are we, really?  How do we get OUT of here?
  • 16.
     The worldalready has a lot of cybersecurity “solutions” and “products”  The average information security budget according to PricewaterhouseCoopers is a staggering $4.1 million  According to Gartner, the worldwide Information Security market is valued at more than $70 billion. And, yet…  The list to your right contains many, but not all, major Fortune 500 breaches since 2011  These are not companies that cannot afford cybersecurity  Most organizations are notified by external parties (“Cyber Healthcare Professionals” re yesterday’s post-lunch talk) 100’s of days after breach  Cybersecurity is a hard problem that clearly – by any public metric available - remains unsolved in any sustainable way 97% of networks have been breached (FireEye)
  • 18.
     Of Solutions At the Wrong Level  Without being Able to Articulate the Problem  NISTCSF  Common Practices  List of things that aren’t sufficient  Cybersec EU, Poland, 2015  Talking Information Sharing at Highest International levels  Conducting, not winning conflict  Same solution spaces provided over and over again  Specificity intersecting with applicability and repeatability extraordinarily difficult  This has to stop
  • 20.
    We do nothave a consensus definition “Cybersecurity”  Neither the problem space nor the discipline  We can’t even decide if there is a <space> between Cyber and Security  Ask any 5 experts, get 5+ answers Speaking of experts…..
  • 21.
     System Administrators Malware Analysts`  Incident Responders  Lawyers  CISOs  Procurement Officials  Chairmen of the Senate Whatever Committee  Heads of the NSA  Senior Sales Engineers for Security Companies  Hackers  Children • CEO/Executive Board Members • Criminals/Terrorists • Journalists • Developers • Activists • Evolutionary Ecology PhD’s • Diplomats • Control Systems Engineers • Regulators and Auditors • Emergency Managers • Citizens • Operations Staff • Firewall Engineers
  • 22.
    Cybersecurity is ahuge domain that spans entire cultures, industries, and nations while remaining highly individualized As a discipline, it is an amalgamation of existing as disparate as business management, computer science, political science, and even art. This means we have to always be cognizant of context.
  • 23.
  • 24.
  • 25.
  • 27.
    Prosecute & Convict?Defend? Listen? Convince?
  • 34.
     Cybersecurity MUSTbe Lensed  Because it is a human problem  And Human Problems are Communication Problems  Lenses can provide the human-specific focus required for communication  Communication lenses are composed of:  Domain: Broad Problem Space Definition  Perspectives: Who is Involved?  Contexts: Which problem piece is in front of us?  Discipline Areas: What tools are available? *These are my definitions only
  • 35.
    Cybersecurity: The applicationof several disciplines to enabling an environment in which specific non-ICT based objectives are sustainably achievable with the aid of Information Security, Control Systems Security, and Other Related Security Practices in the face of continuous risk resulting from the use of cyber systems. Secure system: One that does no more or less than we want it to for the amount of effort and resources we’re willing to invest in it.
  • 36.
    Those definitions stilldon’t describe a problem to be solved, they describe solution sets and objectives.
  • 37.
    This is aDomain we can ask specific questions of and turn into lenses…
  • 39.
    If InfoSec isan error handler for the overall cybersecurity risk environment, then we’ve let the main system go at the expense of the error handler. For the Error Handler to be the source of stability, it would have to have all or most main system knowledge. So what does the problem space really look like OUTSIDE of InfoSec? Outside of the Error Handler? Managing the following extra-InfoSec domains is a precondition to or a part of effective information risk management
  • 41.
    1. Global 2. BodyPolitical 3. Organizational 4. Individual  Technical … This might be a business problem pertaining to complexity? (In Order. List Likely Not Complete. Threat Exclusion Intentional.)
  • 42.
     Offense/Defense  Individualsand Businesses are NOT defenders  Asking them to participate in global conflict is, in a word, silly  They do not, and will not, have competence or capacity over time  18,500 US Firms with over 500 employees!  Parasite Management  Maintain value Control despite competition for shared, not owned infrastructure  Sustained Resilience: Continuity of Operations, DR  Exposure Management vs Incident Management  Exposure/Environment Management OR ELSE  Information Security is non-causal in Exposure Management  Lack of Exposure Management is an eventual permanent loss  Incidents do not aggregate up to long term risk  The Primary Conflict Model is that of a Siege  Non-combatants not in control of surrounding environment being drained of resources forced to make daily risk decisions that are not pertinent to eventual win  This is true whether or not different threat groups *intend* to put us under siege  Strategic win is possible, not possible under other models  Accounts for resource drainage, supply chain problems, massive externalities problem, etc  Breaking the siege requires building *a* castle (cooperative strategic infrastructure) and*multiple* guilds (regimes)
  • 43.
     Confidence BuildingMeasures & Stability Problems  Unknown Exposure: Game Theory vs Control Based Regulation  Too many actors  Tools too accessible  Norms of Behavior  Some norms support both conflict and stability  Difficulty developing norms in the middle of conflict  Information vs Kinetic Warfare  Intentional Abuse of Conflict Culture & Definitions  Targeting of formal/informal “civilian” information and regimes  Western governance has long term strategic vulnerabilities  Capacity Building  vs Conflict Execution (Retains almost Exclusive Focus)  vs Exposure Management (Done only to aid Conflict)  Same as InfoSec, but larger Also Helps Drive (& Provide Cover for) Localized Civilian Parasite/Siege Conflict Context
  • 44.
     Overall risinghostility under the radar  Sustained non-ICT Regime Instability  Costs in money, trust, unconstrained resilience requirements  Unintended Specific Fallout from General Instability  Systems not functioning as desired in emergencies  High Intensity Conflict resulting from unrelated events
  • 45.
     Business Borders:Disappearing?  Is it more useful to constrain cybersecurity around business borders or supply (and value) chains?  If the latter, is that even possible?  This is only one of several boundary problems)  Un-constrainable? Mesh vs Chains  Since these aren’t really chains, does this become a statistical problem?  Supply chain as a mechanism for risk reduction?
  • 46.
     Geography &Power Delegation  The internet is a form of “geography”  Power Plants are part of the internet, therefore they are geography  They’re also targets  The government is *not* the primary arbiter of power within the borders of this virtual geography  Ooops. This is new.  Geography & Proximity  Everyone is a Neighbor  Have you ever been stuffed shoulder to shoulder in a hot train car with drunk friends, enemies, and strangers?  Ooops. This is new, or at least worse.
  • 47.
     Common ProblemSpace Consensus  Development  Socialization  Multi-stakeholder Model/Regime Management  Targeting & Engagement  Aligned, Unaligned, Oppositional Stakeholders  Development  Goal Targeting and Rationalization  Language normalization  Practice Development  As opposed to Stabilization  Tragedy of the Commons  Without Ownership of Practices, Infrastructure, or Goals  RealPolitik
  • 48.
     Power  2ndAmendment and the Right to Bear Digital Arms  Responsibilities  Voting Knowledgeably  Participation in Multi-Stakeholder Regimes  Education  Access  Rights of Individual Access vs Rights of Society  Business & Government Customers  Voting, Markets, and Courts intended as arbiters, but…  Social  Perception & Expectation Management  Media!  Health & Safety
  • 49.
     Entrenched IndustryMust be Derailed  Costing us time, money, cultural capital  Hijacking regimes  Abstract, tenuous connection to risk  Hope, hope, hope, hope  (Vendor vs Hacker)  Academia not competing  Tools  Behavior Change  Applicability
  • 50.
    “The difference betweenhow it’s supposed to work and how it really works is where the vulnerabilities happen,” - Chris Wysopal/Weld Pond (L0pht)  Complexity  Exposure rising directly and infinitely with complexity  Competency  Technical competency required by all, who cannot maintain  Security Express-ability  Lower layers are approximating upper layer expressions
  • 51.
     Exposure Management Decision Making Capacity Building  Action Capacity (Authority/Responsibility)  Full System (Human) Threat Modeling  Requires Role/Lever reasoning  Fuzzy (but it’s done all the time anyway) Anyone can make a good plan, and one that works, but can it be kept tight enough to achieve goals in the face of constant, organized, trained, funded, motivated, threats?
  • 52.
     We NeedGenerals  Now Guys with Guns Espousing Tactical Requirements in Place of Strategies to Win  Win = Desired level of risk for desired investment over tim  Formal Roles limit Routing of Knowledge/Capability into available levers  If you’re not selling something, you’re not participating
  • 53.
     Sustained Socialization Meme-ification - Passive Education  Active Education  Clarity across Discipline Borders  Common Language  Knowledge  Language & terminology  Organic  Hijacked  Perspective & Context Awareness  Trouble Seeing the Big Picture for the Small  Validation & Action
  • 54.
     Psychology  StakeholdersReceptiveness  Distance between action and risk  Conceptual Processing  Ability to Process sufficient incoming knowledge tangential to core life  Analysts vs Engineers  Average is Average  Cannot require or assume exceptionalism
  • 55.
     Wok  WokWok  Wok?  W.O.K.  Wok Wok wok wok This is, obviously, a wildly incomplete framework. But it is a start?
  • 57.
     Exposure isprimarily created outside of InfoSec (although not “only”)  Informing InfoSec Practices with Business Goals instead of vice versa removes levers  InfoSec practices should INFORM and CONTEXTUALIZE business risk practices INTO cyber risk CONTROLS  Cyber isn’t a risk TO you in most cases;  The risk from cyber to society, industry, and gov CREATES risks to you (Polish Airlines)  Risk management’s job is not limited to a process or approach or framework.  It is, instead, behavioral and decision making capacity building  Awareness is not behavior change  Psych, Marketing, Comms  Target: “Risk Based” often conflated with “Have a Priority” in common practice  Difficult to quantify security management non-security benefits because security management is typically focused on improving security management – even when contextualized by business.  We can perhaps, instead, quantify benefits of non-security activities that benefit security by leveraging dual purpose activities
  • 59.
     Expand  Clarify Communicate  Maintain  Use  Market  Criticize  Trash it and Start Over if Needed  We still need one  Let’s just stop repeating ourselves
  • 60.
     Goal Development: Siege Breaking and Parasitic Environment Management (next slide)  Roles to Risk Modeling to…  Create Exposure Management Strategies  Aid Targeted Education for Risk Decisions in Role Context  Mitigate Tech/Process Controls  A Non-Sec Initiative  Integrate Disparate Disciplines into a Cybersecurity Discipline  Business Risk Managers/CFO’s/Psychs/OrgProcess/Marketers/Sociologists against InfoSec…  Socialize QA as applied to Cyber Exposure Creation  This should exist, but perhaps unapplied  Citizens as a DHS Critical Infrastructure Sector  Contextualize abstract risks in existing process  Identify Psychological Motivation Profiles for Targeted Behavior Change  Business Levers that affect security with the most non-security ROI.
  • 61.
    Develop cross-environment jointactor strategies to more effectively and sustainably compete for the ability to provide value smack in the middle of a constant conflict that cannot be won against players we may or may not be able to see, know, or influence and whose values and goals may be in support of yours, oppositional to yours, or tangential to yours while, over time ,gradually de- incentivizing the use of cyberspace as a conflict domain.
  • 62.
     Think BeyondInfoSec  Broaden Scope Out As Far As You Can Go  Re-Consider your Metaphors and Models from the Ground Up  If Only as a Thought Exercise  Ask how to manage risk without InfoSec  Then build an error handler  Wonder at why we are where we are  And treat common practices as solving an insufficiently complete list of problems
  • 63.
    Jack Whitsitt, EnergySecSenior Strategist @sintixerr | sintixerr@gmail.com

Editor's Notes

  • #3 When submission time came, for this, I hadnt spent a lot of time doing hard research, but sometimes that’s ok…because thinking about models can be a valuable precursor to getting data….especially in a new space like cybersecurity (and I use the word intentionally) here….and especially when you think that perhaps existing models are deeply off. Many times, though, we’re stuck in the grind, though, and cant really focus on deep, big picture, abstract thoughts. But this year, I did have that chance….to very literally think about the forest for the trees
  • #4 Left to Escape Ebola Zombies Came back, turns out I made an effectively prioritized decision that had nothing to do with my perceived risk and executed a really well performed solution that improved my life, but not in a way I anticipated. Actually, no, I had goals, changed environmental factors, and suddenly my decision making capacity and effectiveness improved But out there, eventually you run out of things to say to yourself and you start challenging your fundamentals…and this is what this talk is really about; Do we really know what the forest looks like, or are we getting lost in the trees? How do we find a way out?
  • #6 Why is this? Why are we doing so poorly? What am I trying to get at with this talk….bad metaphors and targeted problem spaces
  • #7  . A grab bag of solutions, not very related to each other, or maybe through bad metaphor, but we lose so many good ideas over time, turnover, repetition for lack of a common idea of what it is we’re solving for. Framework….
  • #9 What am I trying to get at with this talk….bad metaphors and targeted problem spaces (is infosec even relevant? <stories…guys with guns, history of infosec as bandaid practices and models and conflicts and perimeters and defense in depth …….. And then targeted problem space. A grab bag of solutions, not very related to each other, or maybe through bad metaphor, but we lose so many good ideas over time, turnover, repetition for lack of a common idea of what it is we’re solving for. Framework…. SOMEWHERE ANSWER WHY MY FRAMEWORK…NEXT? “SO, WHERE ARE WE?”
  • #11 Wide Scope, narrow in. (pull from class, puzzle pieces, quote)