A very large part of space-time must be investigated,
if reliable results are to be obtained.
— Alan Turing
On 12 May 2021, the US White House issued a presidential executive order (EO) on improving the nation’s cybersecurity. While this order is directed primarily at the federal government, it is useful for enterprises in the private sector to understand not only the direct implications for any touchpoints with the government but also the key elements in the EO that have broader applicability beyond the government’s needs.
The purpose of this Advisor is to point to this EO as a resource that enterprises should study in some depth as well as to use it as a context to highlight ways to think more fundamentally and timelessly about cybersecurity. (In this Advisor, we use the word “security” synonymously with “cybersecurity.”).
Models: Parallel Worlds
Security is defined by the context of the world within which it exists. We will always have various constructs and concepts mixed in with real things that, in combination, make up our “world.” If our world does not align with the real world, our decisions and actions will not either. The important idea here is that there will always be these two worlds – often discussed as the map versus the territory – try as hard as we may to make them one and the same. The differences require vigilance on our parts so that we may anticipate gaps and inconsistencies rather than be surprised when our actions fail to accomplish exactly what we set out to do. A simple security-related example is a failure to understand that, although individuals may be restricted in what they have access to, a group of individuals can pool their privileges together to get to a place that is more than the sum of the parts.
The EO shows awareness that these kinds of invisible infringements are possible by articulating the need to enable a government-wide endpoint detection and response (EDR) system and improved information sharing within the federal government. What is good for a distributed government should be good for a distributed enterprise, too. It is important to model the enterprise and its parts to understand that these parts exist, to understand the sharing that needs to be in place for a whole-enterprise view, and to put in the systems needed to enable the right kind of sharing across the enterprise.
Time Breaks Models
As time moves forward, new forces and new entities emerge. The EO acknowledges this and exhorts the private sector to “adapt to the continuously changing threat environment … to foster a more secure cyberspace.”
Even when we develop views of the world that are somewhat well aligned with the way things are, these views can get dated as the real world moves and shifts. Our model drifts, not because it gets corrupted but because it doesn’t keep up with new requirements that didn’t exist in the old world.
An example of how this might occur can be seen in a relatively new kind of cybersecurity attack, as manifested in the compromise of SolarWinds’s software. This represents a whole new category of attacks on the supply chain that exploits trusted relationships between suppliers and customers. These threats to the supply chain drive requirements for guarding not just the enterprise, but upstream of it as well. A model that is unaware of the notion of “upstream” has experienced a model-drift that causes it to lose connection with the real world.
The EO recognizes this form of gap in the security architecture and makes an explicit call to enhance software supply chain security.
Space Breaks Models, Too
Change occurs not only from outside, but also from within an enterprise. The nature of what an enterprise is has been changing rapidly, enabled by the ability to integrate via APIs and to share resources across cloud and on-premises infrastructure and, more recently, “multi-cloud” (using cloud services from multiple vendors). The promises of an ability to innovate faster, to realize savings through economies of scale, and to potentially reduce single-point-of-failure risks are driving enterprises to redefine themselves on an ongoing basis by adopting these new architectural constructs and the related infrastructure.
The gains, however, will not come unless the enterprise’s security architecture reflects the new “extended enterprise” that the old one becomes as it spreads over space across numerous and varied business entities. The multi-cloud is a central construct in this new architecture model. The EO recognizes this and asks federal government entities to work toward secure cloud services and a zero-trust architecture.
As the nature and kinds of threats increase and the definition of “enterprise” changes, enterprises must grasp the state of their security model and architecture, understand that a model is a model, and devote resources to the upkeep of a comprehensive view of security across space and time that is understandable to and actionable by human decision makers.
Tell me what you think. Send an email to email@example.com.