- The Cyb3rSyn Newsletter
- Posts
- Systems Thinking for Cybersecurity Professionals
Systems Thinking for Cybersecurity Professionals
A Multidisciplinary Approach to CyberSecurity - Chapter 1
This week’s Cyb3rSyn Newsletter is a special cross-post on cybersecurity in collaboration with TL;DR Sec (Shout-out to Clint Gibler!).
TL;DR:
The blog post introduces systems thinking as a lens for cybersecurity professionals. It recommends that we view organizations as complex adaptive systems with purposeful actors and calls for a multidisciplinary approach to dissolve today’s dominant cybersecurity problems.
Table of Contents
Introduction
Most cybersecurity problems have known solutions. Take credential theft via phishing attacks for example... We know that FIDO Keys are effective at defending against them.
The real issue is not that we don't know "WHAT" to do. The challenge in the trenches has always been in the "HOW"!
How do I roll out FIDO keys within MY organization - with our budget constraints, prioritization conflicts, organizational design, legacy baggage, proprietary technology stack, etc.?
Unfortunately, cybersecurity is a niche specialization today. But the answers to our questions lie in other disciplines. Backed by multiple years of theory-backed experimentation in the trenches, I’m calling for a multidisciplinary approach to cybersecurity.
The cybersecurity approaches of today are violating many fundamental insights and first principles from other fields - starting from human nature (psychology), complexity, systems thinking, ergodicity, cybernetics and more.
When these insights, principles and heuristics are taken seriously, our approach to cybersecurity completely changes from the mainstream approaches. We can then figure out a new “how.”
This post discusses insights from systems thinking, using real-life examples, and explores what they mean for the field of cybersecurity.
"If A is narrow professional doctrine and B consists of the big, extra-useful concepts from other disciplines, then clearly the professional possessing A plus B will usually be better off than the poor possessor of A alone. How could it be otherwise?"
Systems Thinking
When it comes to leadership in tech firms, a true ‘emperor has no clothes’ situation is in the application, or lack thereof, of Systems Thinking.
I’m not asking for something new. All modern “ways of working” call for the application of systems thinking.
For example, DevOps calls it "the first way". LeSS wants us to “Apply Systems Thinking.” But, the reality is that very few leaders and entrepreneurs understand what that really means. We are all caught up in methods (that specify “what” to do), but don’t know the “how” and more importantly the “why.” There is so much talk about first-principles thinking, but none applied when it comes to organizing humans with a common purpose.
“As to methods there may be a million and then some, but principles are few. The man who grasps principles can successfully select his own methods. The man who tries methods, ignoring principles, is sure to have trouble.”
The post will not attempt to explain what systems thinking is as there are multiple traditions. But, I highly recommend the books of Dr. Mike C Jackson for the curious. Here is the link to his latest book, ‘Critical Systems Thinking: A Practitioner's Guide’ in which he explores and critiques the best-known systems methodologies. I highly recommend it to people who want to understand the potential of systems thinking and use it in their day-to-day work.
Every decision we make has both intended and unintended consequences. Overlooking feedback loops and neglecting interactions and interdependencies can lead to outcomes that are completely contrary to our original intentions.
This is sometimes called the “cobra effect”. The economist Horst Siebert coined this term from a story originating in the British Raj. To tackle the venomous cobra problem in Delhi, the British government introduced a bounty for each dead cobra. At first, this approach seemed effective, as many snakes were killed for the reward. However, the situation took a turn when people started breeding cobras to earn money. Once the government discovered this, they ended the reward program. As a result, the breeders released their cobras, ultimately increasing the wild cobra population.
I will now take the lens of systemic thinking and explore how the cybersecurity industry has created our own ‘cobra effect’ with our attempts to solve phishing attacks. But first, let me set the stage by discussing the four different ways we can treat a problem as put forward by the systems thinker, Russell Ackoff:
Absolution: Ignore the problem and hope it will solve itself or go away. Parents who have dealt with kids fighting with each other know what I’m talking about.
Resolution: This approach seeks to find a solution that is "good enough" or satisfactory. It aims to address the problem in a way that meets the minimum requirements or alleviates the most pressing symptoms, but it may not be the optimal or most sustainable solution. Uses experience, common sense, qualitative judgment – a clinical, humanistic approach.
Solution: This involves finding the best possible solution to the problem within the current constraints. It requires a deeper understanding of the problem's root causes and a thorough evaluation of different options to identify the most effective and efficient course of action. Uses scientific research, experimentation, quantitative analysis, and optimizing techniques.
Dissolution: Redesign the system that has the problem or its environment in such a way to completely eliminate the problem. Dissolution may incorporate all the other ways of treating problems.
Dissolution is generally regarded as the best approach to treating any problem. In this approach, we typically don’t see and solve the problems where we find them - in a silo, within the system boundary of a department or an organization. Dissolution attempts to completely eliminate the problem by changing the environment of the system in question.
It nudges us to carefully consider our system boundary and values. It invites us to explore the environment to see if something could be changed there to completely eliminate the problem within the system (or if something could get harmed - e.g. environmental pollution).
(Note: Before we proceed further, I’d like to call out a typical trap that most new systems thinkers fall prey to. Once exposed to the ideas, they think that they can now see the “whole” system - but, there is not one representation of what a “system” really means. The meaning can change depending on who the observer is. My narrow view of what a system should do and what the outcomes should be, may not align with another participant’s perspective - each of us have our own perspectives and cultural nuances. The antidote was poetically articulated by the systems thinker, C West Churchman: a systems approach begins when first you see the world through the eyes of another.)
Reply