ethics

The Challenge with Corner Cases

Doug Leece

All models are wrong, some are useful”, George Box

Attributed to a British statistician, this phrase is still being quoted almost 50 years later and has likely inspired aphorisms like “perfect is the enemy of good” and “80-20 rule” and “Better a diamond with a flaw than a pebble without”, Confucius?

Following up on that, perhaps just due to fear of publishing invalidated opinions still lingering from university, there are multiple examples accepting things as fact despite corner cases disproving the hypothesis or being so obscure no one previously considered them. We can speculate that no one ever pondered “what would happen if two black holes meet somewhere in the universe and decide to combine into one and we recorded it” but on September 14th, 2015, this exact scenario did occur and confirmed Einstein’s theory on gravitational waves beyond refute. Ironically even Einstein himself wasn’t that confident in his theory and would periodically change his position on the matter, yet anyone using GPS has benefited from his understanding of the time/space relationship – flaws an all.  So what does any of this have to do with security risk management in three words or less?

Strategic Business Alignment

One of my regular questions on the podcasts is how our guests help their clients identify the point of diminishing returns. Primarily due to my personal tendency to identify the handful of scenarios where a solution may not be effective, and I could use some ideas on accepting good versus the costly pursuit of perfection.  Revisiting “strategic business alignment”, as risk professionals we need to accept that organizations often embark down a path without a complete understanding of how they will handle everything that comes up. The concept of minimum viable product was a Silicon Valley darling for years, can partially inform the risk assessment model. The MVP model could be cynically described as: get people using your software, fix things that really are an issue after enough customers report them rather than agonize over every possible use case, and hopefully don’t run out of money before becoming profitable. The Agile Alliance does point out that settling for just enough that people will buy something doesn’t make a product viable in the long run and we see see that regularly with cracks in the cloud infrastructure, financial meltdowns an so on.

Back to “all models are wrong”, if we take the MVP concept seriously, part of our effort will be to analyze why things are not going as planned, ideally looking for the root cause rather than applying duct tape and pushing on with the next release or growth initiative just to keep things on schedule. Schedules are important, but the courage to miss a date for safety, quality, or some other darn good reason will be rewarded in the long run.

I love deadlines. I like whooshing sound they make as they fly by. Douglas Adams

I would be the first to point out that a business productivity application flaw will have far less significant impact on society than a flaw in water treatment, electrical generation or a piece of medical equipment but can we address flawed models via resilience? As risk professionals we often possess the uncanny ability to identify one or two scenarios that an existing or proposed control will fail to address.  At this point we have the choice of saying “this is unacceptable because …” or we can ask those that may no more about some aspects of the problem or the organziations capability to respond – appearantly even Einstein had his doubts and would speak with others in his field –.  

Posing a question like “if scenario one came to pass, what is the most credible and most extreme impact?” in a roomful of subject matter experts will most likely result in numerous lengthy responses, some contradictory, but themes tend to emerge. Most certainly watch for those extremes, I had dinner recently with a respected ICS security expert and completely agree with the position that some outcomes, no matter how unlikely, are too significant to knowingly leave to chance. If we as risk professionals identify such a scenario I believe we should resist “damn the torpedoes” with everything we have if professional ethics mean anything. That said, in most cases, the worst possible outcome may be highly undesirable but recoverable. There is a generational impact level difference between a cardboard box for a C-Suite member and a nuclear wasteland or polluted water.

Many corporate boards list “cyber security risk” in their top 5, and reviewing a firewall or application security log for five minutes will confirm the threat is very real. That said, I know of no business that has decided to shut everything down because “things are just to challenging these days“, ironically many are openly evaluating if machine learning, process automation and cloud computing can give them marketplace advantage.

In a business world where many run toward the fire instead of from it, can we help those we serve balance the many enterprise risks, not just cyber, to give them the greatest likelyhood of a successful outcome? Tim recently recommended a book on becoming a trusted advisor,  which includes a great deal of discussion on dealing with mistakes. Theoretically solving for all corner cases and missing the opportunity window ultimately doesn’t serve anyone.

 

 

Advancing the Profession of Security

Doug Leece

While ethics and morality are both are human constructs rather than scientific properties, one of the key differences is the rate of change and the percentage of those agreeing with a defined code.  At an unnuanced, abstract level, ethics are based on a code of behaviour defined by an external source, morality is an individual’s view of right and wrong.

So what does this have to do with risk management, cyber security or the profession of …?

I was reviewing an article in my reading list and struck by the author’s claim that very few people are members of an IT professional association since that doesn’t reflect my experience. Facts always trump opinion and a quick search will reveal ISC2, ISACA and ASIS membership for 2022 is approximately 350,000 while  Statista pegs full time ICT north of 50 million. Therefore, disregarding membership overlap, at less than one percent,  John Mitchell’s  minority statement seems charitable. Personally that percentage disappoints me as I see that gap as a barrier to the profession of security gaining legitimacy since the existence of professional groups and substantial membership are one of the ways professionalization is judged by society at large. Adherence to codes of practice and ethics are ways professional organizations can distinguish their members from those that merely have similar skills.

Reexamining the CISSP code of ethics I agreed to uphold nearly two decades ago with both the perspective of time and a master’s degree research module I am wondering if the ethics discussion needs to be given more than lip service by security professionals. The transformation of ethical perspectives takes time but occurs none the less and organizations need to realign to changes in societal expectations. Ideally ethical discussions should incorporate the widest collection of stakeholders reasonable, but these days partisan echo chambers seem to be the norm, even within the security community, expect some turbulence.

The pace of business often finds us distracted with deliverables and accountabilities, consequently, guiding principles have a tendency to fade into the background. With full transparency I’ll admit looking up the details of the CISSP code of ethics, fortunately I was well within the lines. That said, I felt compelled to commit my interpretation on paper, if for no other reason than to open dialog on a subject we need to align on within the industry since we are in a position of trust.

Reflecting on the CISSP Code of Ethics

The topline preamble is almost a mission statement or guiding principle on it’s own, adherence should avoid any issues of conscience.

“The safety and welfare of society and the common good, duty to our principles, and to each other…”

At the more prescriptive and externally measurable level the first two canons provide a concise description that seems to cover the majority of scenarios I have encountered in my career.

  • Protect society, the common good, necessary public trust and confidence, and the infrastructure.
  • Act honorably, honestly, justly, responsibly, and legally.

Items three and four seem to be leaning slightly toward areas that will demand a bit more personal interpretation of one’s accountabilities  and compliance.

  • Provide diligent and competent service to principals.
  • Advance and protect the profession.

Providing diligent and competent service” is most certainly subjective and on any given day our best is going to vary. If we can truthfully say we are meeting or exceeding the standard of a reasonable person is that all we can ask of ourselves and our peers? One way to answer that would be to try a thought experiment like the one below. Be warned there is not enough context for a true correct answer, just an opportunity to reflect. Another tactic is to truly understand your organization and where their point of diminishing returns is, our job as risk professionals is to bring the most important concerns to the right level of accountability and they can rely on our judgement if we are consistently striving to be ethical and diligent.

While doing another task I discover a deficiency, I knowingly leave a security control broken because:

  1. We had sufficient compensating controls and the implementation team is already at 130% of capacity with no end in sight.
  2. Although the compensating controls have flaws of their own, the treat community size is small and this is one node in a long attack tree.
  3. The person accountable for fixing has a strong personality and is very clear they don’t want negative attention from upper management.

As for “advancing and protecting the profession” each of us can contribute regardless of skills, tenure and even personality. Consider the following:

  1. Anyone who has spoken to a near empty conference room will agree that your very presence in the audience, (physical or virtual), advances the profession by encouraging  that presenter or researcher to continue their work.
  2. Sharing articles and research you stumbled upon with others in your department, peer group, social networks. If it is genuine and relevant to them most people don’t cast you or the content in a negative light
  3. Share the skills and personality you do have without regard for notoriety or compensation. We are all experts compared to the general population, when a relative or casual acquaintance asks a security or technology question take the time to make sure they understand or send them a link to someone who does explain it well.

Call to Action

Most in the industry will acknowledge, at least privately,  we are adopting technology  faster than we can secure it and are seldom afforded the time to consider the many ramifications of our choices.  Reflecting on the ethics we have agreed to follow and how we are personally aligning to those commitments is something we can all do as an internal process.  Externally, I challenge all us to incorporate our ethical lens as we asses and contribute to peer dialog on security matters to collectively advance our profession.