A thought-provoking article in the current issue of Harvard Business Review about managing complexity for corporate survival presents an interesting formula that dovetails nicely with best practices for setting strong enterprise information security strategy as well.
The Biology of Corporate Survival discusses how companies are “dying” younger because they are failing to adapt to increasing complexity. The authors draw on lessons from successful biological ecosystems to outline six survival principles for ensuring that a business operates like a healthy “complex adaptive system (CAS).” These include maintaining heterogeneity, cultivating modularity, sustaining redundancy, expecting surprise (but reducing uncertainty), creating feedback loops and adaptive mechanisms, and fostering trust and reciprocity. Most of those descriptions may not sound like anything typically discussed in cybersecurity circles, but I’d like to translate how they apply to our increasingly complex realm.
Maintaining heterogeneity in the HBR article is described as using “diversity in people, ideas, innovations, and endeavors” to collapse risks associated with “change from within or outside the industry [that] renders the firm’s business model obsolete.”
Where’s the cybersecurity relevance? Just consider how new IT delivery models have rendered security appliances irrelevant in today’s highly automated, shared, flat networks that aren’t based on fixed IP addresses. The rise of containers is accelerating the extinction event —not to mention the increasing efficacy of threat actors—which break the old security paradigm, defy manual solutions, and heighten complexity. The need to maintain heterogeneity necessitates adopting innovative approaches to InfoSec. Different times require different methods.
Cultivating modularity in a CAS is described as having “barriers between the components of the business system and between business systems” to minimize contagion when “shocks in one part of the economy or business ecosystem spread rapidly to other parts.” Atomized on the level of InfoSec concerns, if that doesn’t sound like an argument for implementing a multilayer, multidirectional defense structure, I don’t know what does. Microsegmentation-based security implementations, with their focus on partitioning workloads and their innate ability to impede the spread of lateral threats, adhere to this modularity principle; where perimeter-centric policies, with their vision of the network as a fortress, simply cannot.
Sustaining redundancy ties directly to the modularity concept. It is described in the HBR article as “duplication that creates buffering capacity in components of the business system” to address “fat-tail risk: rare but large shocks such as natural disasters, terrorism, and political turmoil.” Like modularity, redundancy translated into strategy means that security should be implemented in layers, where no single defense is relied upon for the overall security profile of the network or datacenter. Instead, many layers of defenses are positioned throughout the entire system and across various workloads, so that a disaster or breach doesn’t bring everything to a screeching halt. On a physical level, it also means ensuring practical redundancy for environmental, operational, and power necessities (e.g., instantaneous failover and uninterruptible power supplies for your servers and/or your cloud provider’s servers).
Expecting surprise (but reducing uncertainty) probably requires no translation, since this should be the default state for everyone working in InfoSec. According to the HBR article, those managing healthy complex adaptive systems “collect signals, detect patterns of change, imagine plausible outcomes, and take precautionary action” in order to address risks associated with discontinuity, where “the business environment evolves abruptly in ways that are difficult to predict.” This description could easily have been lifted directly from any modern IT security strategy playbook, where teams must employ advanced visibility and reporting tools across mixed infrastructure, as well as automated workflows and security provisioning, in order to navigate a security landscape that exists in a perpetual state of flux. The only thing certain is uncertainty: But that doesn’t mean your security apparatus can’t be structured to meet the unknown with some measure of confidence, and it falls to InfoSec teams to meet that challenge.
Creating feedback loops and adaptive systems in a CAS requires that you “monitor change, promote variation, experiment, amplify innovations, and iterate rapidly” to reduce obsolescence risk, where “the firm fails to adapt to changing consumer needs, competitive innovations, or altered circumstances.” In cybersecurity terms, this builds upon the aforementioned uncertainty principle, and also represents a call to always consider the function of IT for the enterprise and how security can be embedded within that function. Enterprise security strategy has to promote and facilitate the mission of the business, not hinder it; and increasingly this must be accomplished with great speed. In practical terms, feedback loops and adaptive systems translate into a requirement that your security solutions be suitable for fast deployments that complement DevOps and Agile workflows, and that all your security provisions integrate completely — on demand and at scale.
Fostering trust and reciprocity is the final principle highlighted in the HBR article, and it presents an interesting twist for translation into InfoSec terms (where “trust” is a loaded word.) The authors indicate that this principle is displayed in a healthy CAS where managers “act in ways that benefit other participants in the overall system, and establish mechanisms that ensure reciprocity” to allay any risk of rejection. A healthy cybersecurity approach will seamlessly integrate into existing infrastructure and processes, and at the very least, not run counter to this goal.
But I think this concept of fostering trust and reciprocity best applies to enterprise security management in relation to the human element, and how cybersecurity is positioned and provisioned within a company. Too often, IT security teams are saddled by negative stereotypes in their own organizations — the department that puts the brakes on innovation, those who see a threat around every corner, the rain on every parade. At the management level, cybersecurity is often viewed as a necessary evil, an expensive cost center, or merely insurance for trouble that may never arise.
This really shouldn’t be the case at a time when information security concerns have become very real business issues for enterprises across the globe. Perhaps these unhealthy perception problems can be addressed, in part, through fostering internal trust and reciprocity. Any security strategy will be best adopted and uniformly embraced in the enterprise where it has been supported by leadership, clearly explained, and implemented with the most consideration and least disruption. And also aligns with overall business goals. Imagine well-equipped and collaborative security teams clearly communicating the benefits of their efforts toward protecting overall organizational health; addressing the operational needs and desires of their coworkers with respect, understanding, and state-of-the art technology; and receiving that same level of trust, support, and respect from the greater organization in return.
That sounds like a healthy complex adaptive security system to me.