The most devastating security failures often are the ones that we can't imagine - until they happen.
Prior to 9/11, national security and law enforcement planners assumed airline hijackers would land the planes in search of a negotiated settlement - until they didn't.
The extent of injury from these incidents is often a function of the extent to which new and novel risks were unforeseen, or assumed not to be risks in the first place.
In other words, the more basic the assumption, the more devastating the compromise.
The imperative of security is to be right not only now, but also in the future, to anticipate and mitigate risks that will arise at some later time and place through effective planning and preparation.
The assumptions we make about that future environment serve as the foundation for that work.
Assumptions are necessary for any security plan to be cohesive.
Our assumptions today are unlikely to hold in the future.
We know that increasing interdependencies will make security challenges inherently cross-domain and interdisciplinary.
We know that who and what provides security is changing as well.
The current approach to security goes something like this: First, we review recent incidents, while gathering information on the threats we know about.
Next, we develop a consensus on how to neutralize those threats and mitigate associated risks.
The fundamental challenge is to prepare for a future with an unknowable risk profile.
The future of security will be about resilience in the face of emerging risks that cannot be specifically identified today.
We must also question the very assumptions that undergird our sense of security today.
A new, future-resilient approach will need to include a deliberate process of challenging existing assumptions, while they remain valid, to model a future in which those very assumptions are compromised.
In practice, this involves stress-testing the assumptions we make about the world in which we operate and the environments in which we strive to achieve security.
These assumptions can be broad or narrow, across multiple dimensions.
This process of categorizing and stress-testing fundamental assumptions is a necessary exercise for any leader who is interested in ensuring long-term security and resilience in the face of an uncertain future.
In the next installment of this two-part piece, I'll examine some of the basic assumptions in the most common security frameworks, and the technologies we assume to be central to cybersecurity.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 02 Jul 2024 14:00:08 +0000