From Google searches and family group chats to the systems powering our healthcare and military capabilities, software defines much of modern society and our ability to interact with one another.
There are many challenges in reducing the risks for these systems. The sheer scale of complexity for many systems paired with accelerating development velocity present even more difficulties in securing software. This diverse ecosystem can lead to many disagreements even on how to think about finding the best ways to secure our systems before deciding on the actual technical solutions themselves.
Even once a solution has been settled on, many decision-makers fail to realize and support the continuous tuning and refinement of security tooling that converts security telemetry into the outcomes of building more secure software.
Oftentimes budget allocations and resources are sized according to market incentives which rarely align with what’s needed to properly secure our data and systems.
To better communicate the challenges we face within the field of cybersecurity, we propose an analogy of cyber resiliency to injury prevention and recovery with one key difference that we believe strengthens our argument.
Injury prevention and recovery are universally accepted as a part of sports. Those who are serious about performing to their highest potential for long periods of time recognize the critical importance — from high school cross-country runners routinely warming up with dynamic stretching to doctors and sports therapists repairing a basketball player’s Achilles rupture that two decades previously would have ended their career.
In sports, while there may be differences in opinion as to the best methods of how to reduce injuries and promote recovery systematically, the field of sports medicine relies on data-driven analysis and proven methodologies to enable their programs to win. The business benefit here is direct. Keeping athletes healthy and on the field maximizes the return on investment teams have allocated toward individual players.
Direct parallels between the world of sports and software development notwithstanding, there are key differences between injury prevention and recovery and cyber risk reduction and resiliency. Sports medicine, injury prevention, and recovery are universally viewed as integral parts of sports while, oftentimes, cyber resilience and risk reduction are not viewed the same way for software.
The outcomes the two industries face reflect this difference. The field of sports medicine and injury prevention has made major progress in decreasing injuries, promoting injury recovery, and extending the longevity of athletic performance. Meanwhile, on the security side, many programs often struggle to implement the basics of cyber risk reduction leading to an epidemic of cyber “injuries.” These “injuries” include headline breaches, routine personal information loss leading to identity theft, and the total economic costs of malicious cyber activity estimated from billions to trillions of lost dollars per year.
We suspect these differences are influenced by a few sources: extreme exceptions, bearers of consequence, and market factors.
As any athlete knows, injury prevention is not a perfect science. Neither is securing software.
Flawed arguments like the exception fallacy (when a group conclusion is based on the evidence of a few exceptional cases) can stem from extreme exceptions to the rule to the detriment of the whole.
In sports, there are gifted athletes who perform incredible feats of athleticism and compete at the highest level but also refuse to participate in activities that promote flexibility, longevity, and proper form in building muscle. To these exceptions, injury prevention is extraneous and slows down their ability to compete.
Developers and business stakeholders can sometimes share this thought pattern (often with good intentions). While some exceptional teams and businesses with this approach may find success in developing software, they should not be the model by which to base policy safeguarding the development of software that contains our data and powers our world.
Further, in both injury prevention and cyber risk management, the aspect of consistency plays a critical role. An athlete would not stretch only one or two muscles and expect to never tweak anything across their entire body. That athlete also would not expect to refrain from drinking water or refuse to sleep an appropriate amount and expect to perform the best they ever have in a marathon, but many decisions within security and business are made as though this is the case.
Many security teams find themselves with only the resources to address the highest priority risks. With an ever shifting landscape of capabilities, tooling, and evolving practices, consistency often falls victim to immediacy. When security efforts are constrained to solely the most immediate risks, fundamentals like secure configuration and architecture (the foundations of a mature security posture) are not prioritized to the extent needed to maintain robust defense. This is exemplified by cloud misconfigurations consistently remaining a primary source of breaches.
In cyber, we face the challenge of implementing strategies that promote good cyber risk reduction when the consequences for not doing so do not directly mirror the consequences of a lack of injury prevention. Many businesses in the news for critical breaches have not faced proportional consequences to an athlete with an ACL tear. The bearers of consequences in the cyber world are ultimately the end users - our family’s personal data, our private healthcare information, and our national security.
That key difference may change through federal regulation like the newly released 2023 National Cyber Security Strategy which builds upon the 2021 Executive Order 14028 on Improving the Nation’s Cybersecurity. With the call to “reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities, and other risks created by software and digital technologies” the landscape may evolve for the private sector.
Until market incentives shift, whether by regulation or innovation, a firm commitment to data-driven analysis, with focus on activities that drive business value and increase rates of return to enable businesses to thrive and win, may help us find more successes in cybersecurity analogous to your favorite basketball player returning to the game five months after an ACL tear with the help of their sports performance team.
Keep an eye out for Part 2 where we will take a deeper dive into the analogy of injury prevention, resilient architectures, and robust cyber security practices!