- Cyb3rSyn Labs - Newsletter, Library & Community
- Posts
- Systems Thinking for Cybersecurity Professionals
Systems Thinking for Cybersecurity Professionals
A Multidisciplinary Approach to CyberSecurity - Chapter 1
Laksh Raghavan
November 13, 2024
This week’s Cyb3rSyn Newsletter is a special cross-post on cybersecurity in collaboration with TL;DR Sec (Shout-out to Clint Gibler!).
TL;DR:
The blog post introduces systems thinking as a lens for cybersecurity professionals. It recommends that we view organizations as complex adaptive systems with purposeful actors and calls for a multidisciplinary approach to dissolve today’s dominant cybersecurity problems.
Table of Contents
Introduction
Most cybersecurity problems have known solutions. Take credential theft via phishing attacks for example... We know that FIDO Keys are effective at defending against them.
The real issue is not that we don't know "WHAT" to do. The challenge in the trenches has always been in the "HOW"!
How do I roll out FIDO keys within MY organization - with our budget constraints, prioritization conflicts, organizational design, legacy baggage, proprietary technology stack, etc.?
Unfortunately, cybersecurity is a niche specialization today. But the answers to our questions lie in other disciplines. Backed by multiple years of theory-backed experimentation in the trenches, I’m calling for a multidisciplinary approach to cybersecurity.
The cybersecurity approaches of today are violating many fundamental insights and first principles from other fields - starting from human nature (psychology), complexity, systems thinking, ergodicity, cybernetics and more.
When these insights, principles and heuristics are taken seriously, our approach to cybersecurity completely changes from the mainstream approaches. We can then figure out a new “how.”
This post discusses insights from systems thinking, using real-life examples, and explores what they mean for the field of cybersecurity.
"If A is narrow professional doctrine and B consists of the big, extra-useful concepts from other disciplines, then clearly the professional possessing A plus B will usually be better off than the poor possessor of A alone. How could it be otherwise?"
Systems Thinking
When it comes to leadership in tech firms, a true ‘emperor has no clothes’ situation is in the application, or lack thereof, of Systems Thinking.
I’m not asking for something new. All modern “ways of working” call for the application of systems thinking.
For example, DevOps calls it "the first way". LeSS wants us to “Apply Systems Thinking.” But, the reality is that very few leaders and entrepreneurs understand what that really means. We are all caught up in methods (that specify “what” to do), but don’t know the “how” and more importantly the “why.” There is so much talk about first-principles thinking, but none applied when it comes to organizing humans with a common purpose.
“As to methods there may be a million and then some, but principles are few. The man who grasps principles can successfully select his own methods. The man who tries methods, ignoring principles, is sure to have trouble.”
The post will not attempt to explain what systems thinking is as there are multiple traditions. But, I highly recommend the books of Dr. Mike C Jackson for the curious. Here is the link to his latest book, ‘Critical Systems Thinking: A Practitioner's Guide’ in which he explores and critiques the best-known systems methodologies. I highly recommend it to people who want to understand the potential of systems thinking and use it in their day-to-day work.
Every decision we make has both intended and unintended consequences. Overlooking feedback loops and neglecting interactions and interdependencies can lead to outcomes that are completely contrary to our original intentions.
Reply