BLUF 

We don’t see into the future. Especially with large scale issues, we can make correlations afterwards, but we are not soothsayers. We didn’t predict COVID, nor the scope of its impact. What we can do is measure based on past experience and potential risk, mapping where our fragility lies.

Background

In the future after COVID is over, we will look back and point out the pieces that clearly marked the current abrupt change of circumstances. There will be a lovely series of linear cause-and-effect studies conducted to give us markers for things we should have seen, but didn’t. Things will be assessed to become markers for what we look for based on experience. We may have a new normal; though as time wears on it may or may not hold for the majority of the population. Will we shift our daily practices to include masks or social distancing in years to come? Perhaps. Many can’t manage either in the present (as other market shoppers aggravatingly remind me).

Much like we still cook chicken fully to reduce the potential to contract salmonella, but still eat it after falling to the floor. Five second rule and whatnot.

Using floor chicken as an example, there are markers identifying whether or not we would eat the piece that dropped, namely our understanding of how fragile we are to the potential harm we are introducing for that savory morsel. Would we eat it in mum’s freshly mopped kitchen? Sure. Would we do it at the wastewater treatment facility? Much less likely. And that is only one factor we may consider. Similarly a young person with strong constitution is more likely to consume the fowl than someone further in years or with a compromised immune system.

We can take factors into account to help us determine our resiliency, or more importantly, our fragility. When we can’t tell what will happen to us externally, we can still look inward to determine where our perceived or experienced strengths and weaknesses are. Using those experiences and perceptions based on what we have, we can judge the degree of expected damage an external event likely would create. Like a China plate dropped at waist height on stone tile – it may not break, but best be careful. Understanding our fragility helps us take action based on uncertainty.

In cyber security, there is a lot of uncertainty. We can’t properly assess risk unless we know our fragility.

Can I tell you if we are susceptible to every malware virus out there? No, but I can tell you if we were exposed and if anything made past the defenses.

Can I tell you what the business or network impact from our networks becoming infected with ransomware? Also no, but I can tell you what the impact is or was – present/ past tense.

Can I give you an educated guesstimate for future predictions? Certainly, but knowing many factors may play a part outside my understanding and could go better or worse. Makes prediction a more difficult game we honestly won’t win, more often we twist interpretation in after-actions.

What we can do is understand how fragile (or not) we are to unforeseen events (just like knowing the plate will likely be damaged after being dropped, or the chicken likely came in contact with unsavory floor-flavours).

We do many things to help secure our network environment from cyber or natural disasters, though it is often complicated as we don’t always know what’s been done or whom to ask. With resources and support given, we can better that understanding. We need to map out our organisations.

We say mapping things all the time, but what is actually suggested?

In a physical sense a map makes connections, helping determine what is encountered in travelling where we are going. In traditional maps we judge our location in proximity to other landmarks, but it’s not terribly different creating a map to look at organizations.

The notion of topography is different when mapping an enterprise; it’s all in how you frame it. We can’t use landmarks and kilometers to chart an organization (also known as entities and relationships in both mapping senses), so what can we use? People – in every organisation it always comes down to someone when you peel back the layers.

• We know who works in the business (org chart revisions may have delays, but delaying access revocation after departure is begging disaster)
• Every service/ process/ control ties to someone
• There is a person for every external interface

If we create a map based on people, and you will not only find our fragility, you will also find where our resilience has always been.

More to follow.

-scl