![Sample our Information Science journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5940/TOC-Subject-Sample-2021-Communication-Studies.jpg"})
Abstract
In Part One, the conversation between the sisters and the origin story of “controls” revealed how errors in assumptions, use of wrong math and method – compounded by complexity, and uncertainty created structural flaws in cybersecurity. Recall, a “structural flaw” is about design, whether a business process or a building. Better implementation/construction, maintenance or bandage solutions cannot fix a structural flaw. Part One analyzed the first of four structural flaws in cybersecurity – “controls.” These flaws churn cyber pros, CISOs and senior managers. These flaws are more dangerous in an era of cyberwarfare. Part One then described how to review controls to determine which to keep, fix or eliminate. The opportunity is to achieve more efficient and effective security – with less waste, distraction, and false sense of security. In Part Two, we diagnose three more structural flaws – “lines of defense,” frameworks and insider threats. The emphasis continues on structural flaws that cannot be fixed by better implementation, working longer hours or tweaking. Instead, cybersecurity improvements come from fixing the structural flaws and shifting to better approaches. Better approaches are drawn from proven and practical business management methods in simplification, psychology, systems thinking and design thinking. These can more easily achieve benefits through diverse, high-performing teams.
ACKNOWLEDGMENTS
This article was written specifically for EDPACS readers, adapted from several objectives-acceleration workshops of ValueBridge Advisors, LLC and content originally included in The Operational Risk Handbook.
DISCLOSURE STATEMENT
No potential conflict of interest was reported by the author(s).
Notes
1. In July 2020, The Institute of Internal Auditors updated “The IIA’s Three Lines of Defense Model.” The IIA emphasized “The basis for successful coherence is regular and effective coordination, collaboration, and communication.” (Page 8) The Update walked back some of the most problematic aspects of the model and emphasized “Focusing on the contribution risk management makes to achieving objectives and creating value, as well as to matters of “defense” and protecting value.” (Page 1) Thus, the IIA paper can be helpful in stopping bad implementations of the concept. Yet, just as financial reporting-style controls are structurally flawed for cybersecurity so are lines of defense. https://global.theiia.org/about/about-internal-auditing/Public%20Documents/Three-Lines-Model-Updated.pdf
2. Read Santayana’s quote in the context of stages of life and human progress at http://www.gutenberg.org/files/15000/15000-h/15000-h.htm
4. https://www.merriam-webster.com/dictionary/Maginot%20Line, accessed November 11, 2018
5. For one example, see this 1984 book https://www.tradoc.army.mil/wp-content/uploads/2020/10/From-Active-Defense-to-AirLand-Battle.pdf
6. Parks Canada Directory of Federal Heritage Designations https://www.pc.gc.ca/apps/dfhd/page_nhs_eng.aspx?id=1924
8. NIST Special Publication 800–160 Volume 1, System Security Engineering, Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, Ross et al, November 2016 (updated March 21, 2018), https://doi.org/10.6028/NIST.SP.800-160v1
9. See NIST Special Publication 800–160 Volumes 1 and 2, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
11. Stanton, Thomas and Webster, Douglas W. eds., Managing Risk and Performance: A Guide for Government Decision Makers (Wiley, 2014)
12. For an excellent guidance for designing frameworks, please see “Building a Conceptual Framework: Philosophy, Definitions, and Procedure” by Yosef Jabareen, December 1, 2009, https://journals.sagepub.com/doi/full/10.1177/160940690900800406
14. NIST SP 800–53 Revision 5 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800–53r5.pdf
15. For more on how to design and conduct robust, story-telling scenario workshops, please see the two sections in The Operational Risk Handbook.
16. As an example of Mr. Kim’s work in a current hot-spot, see https://www.undp.org/content/seoul_policy_center/en/home/presscenter/articles/2019/USPC_Presents_Koreas_Innovative_Corruption_Prevention_Tool_in_Myanmar.html
17. Barnier, Brian, Preventing Fraud in “Reel” Time: What can two popular Hollywood films teach us about operational risk? RMA Journal, May 2012
20. There is a method to creating frameworks for any discipline. A framework is a network of interlinked concepts that provide a comprehensive understanding of a phenomenon(a). For an example of such guidance, please see https://journals.sagepub.com/doi/full/10.1177/160940690900800406
21. https://www.nist.gov, accessed on 28 December 2019
22. Interestingly, when Deming was a U.S. Government employee, he worked in the building that became the headquarters of the Federal Bureau of Investigation and is today the Gerald R. Ford House Office Building.
24. Kaoru Ishikawa biography http://www.juse.jp/ishikawa/e/atoz/
25. Vector-Borne Diseases https://oehha.ca.gov/media/epic/downloads/ibs_vbd2018.pdf
26. Ten Reasons People Resist Change, Rosabeth Moss Kantor, September 2012, https://hbr.org/2012/09/ten-reasons-people-resist-chang
27. https://www.nrfirescience.org/resource/16256, Drop your tools: an allegory for organizational studies, Karl E. Weick, 1996
28. After his 1980 blockbuster, Philip B. Crosby released, Quality Is Still Free: Making Quality Certain in Uncertain Times on Oct 1, 1995
29. Systems theory model for cybersecurity https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.542.2809&rep=rep1&type=pdf
30. Cyber safety: a systems thinking and systems theory approach to managing cyber security risks https://dspace.mit.edu/handle/1721.1/90804
31. Applications of Game Theory for Cybersecurity Systems https://www.ripublication.com/ijaer18/ijaerv13n17_01.pdf
33. An example of research on the need to proactively avoid cognitive bias and blindness comes from the field of forensic science where errors can lead to wrongful charging and conviction of innocent people. Jeff Kukucka, Saul M. Kassin, Patricia A. Zapf, Itiel E. Dror, Cognitive Bias and Blindness: A Global Survey of Forensic Examiners. Journal of Applied Research in Memory and Cognition. 2017. https://web.williams.edu/Psychology/Faculty/Kassin/files/Kukucka%20et%20al.%20(2017)%20-%20FCB%20Survey.pdf
34. They Gray Rhino by Michele Wucker https://www.wucker.com/writing/the-gray-rhino/
35. Monsters, Aliens, and the End of the World, Taylor & Francis EDPACS, April 2018, by Brian Barnier
36. As of March 13, 2020
Additional information
Notes on contributors
Brian Barnier
Brian Barnier is head of analytics at ValueBridge Advisors, helping leaders manage risk to growth. He has served on ISACA bodies that created Risk IT and COBIT5, co-chaired the OCEG Steering Committee, co-chaired the International Corporate Governance Network’s cybersecurity guidance, and is an editorial panel member of EDPACS and ISACA Journal. He has been a non-profit audit committee chair. In prior roles, he was at IBM, Lucent (now Nokia), and Ameritech (once and again part of AT&T), across which he led teams to nine patents. He is a frequent keynote speaker and workshop teacher. He is the author of The Operational Risk Handbook (Harriman House, Great Britain, 2011), a contributor to Risk Management in Finance (Wiley, 2009) and Risk and Performance Management: A Guide for Government Decision Makers (Wiley, 2014), and author of over 100 articles. He can be reached at [email protected].
Prachee Kale
Prachee Kale is a director in diverse talent management and advancement at a mid-sized financial services firm. She was previously the director of strategy and program management in the risk department, where she was responsible for Cybersecurity and Information Security initiatives. She successfully implemented sound program and budget management practices, drove long-overdue projects to completion, and significantly cut spend. She spent a decade at a Big 4 consulting for financial services firms where she focused on strategic business and technology transformations and regulatory requirements. Before that, she was at the World Bank. An influencer and conversationalist, she has helped stakeholders navigate corporate governance boundaries, develop partnerships and manage change associated with high-impact efforts. Note: The participation in this article of Prachee Kale is solely for educational purposes based on her knowledge of the subject, and the views expressed by her are solely her own and do not reflect the views of her employer.