Films, in general, comprise two typical discoveries – a character’s self-discovery and that of her world.
Wonder Woman revolves around Diana of Themyscira’s quest to vanquish Ares, the God of War. Diana, despite her intelligence and strength, was wrong. Yet, she changed. In cybersecurity, how are problems framed? How quickly do people change? Do they have Diana’s sense of mission and urgency?
What Exactly Is a “Control?”
Pause your reading of this article. Write down your definition of “control.” Now ask five colleagues to do the same and compare notes.
If you walk through the woods with three specialists – an ecologist, an entomologist and a businessman – each will have different observations. Cognitive biases cause people to force-fit their mental models on experiences and concepts.
Investigating “controls,” we discover two origin stories.
- Financial reporting controls trace back to ancient Egyptian grain accounting.
- Automated controls trace back to ancient Greek fishing and hunting gear. They developed into Leonardo da Vinci’s machines, like the cam hammer.
Historically, accountants were cautious about applying financial reporting-style controls to business operations. In 1980, in a seminal study funded by the Financial Executives Institute (FEI), the authors “…found it very difficult, if not impossible, to develop a list of significant procedures that a company must perform or be judged lacking in internal control.”
Michael Cangemi, former CEO of FEI, International President of ISACA and COSO Board Member recalls, “I explored auditing internal control for Foreign Corrupt Practices Act compliance when I joined Phelps Dodge as Chief Audit Executive in 1980. Companies have always developed processes for ensuring the protection of assets and internal control. I found that internal control is different in every company, does not easily lend itself to frameworks or checklists and requires much more subjective auditing.”
What Is NOT a “Cybersecurity Control?”
As detailed in “Cybersecurity: The Endgame – Part One,” an unintended consequence of the Sarbanes-Oxley Act was the application of financial reporting-style controls to cybersecurity.
Dan Goelzer is the author of an insightful newsletter on PCAOB activities, Retired Partner, Baker McKenzie, and former Acting Chair, PCAOB.
He observes, “Operational controls are only secondary to financial reporting controls in the sense that, if they fail, you ‘only’ might go out of business – potentially devastating to you, your investors and your employees. If you don’t have good ICFR you might, at least in theory, go to jail. People should not, but sometimes do, confuse ICFR with cybersecurity controls. Preventing and repelling cyberattacks is far beyond ICFR.”
The two types of controls are entirely different in design for entirely different purposes.
- ICFR – manage risk of accurate recording of financial consequences of tangible transactions that occurred in the past in a relatively stable system
- Automated – manage risk of cascading situations in the future in a dynamic system
Applying ICFR-style controls to cybersecurity is a definition error. Would you fly in a plane with ICFR-style controls? No! You want the automated avionics that move the flaps and alerions.
Paul Sobel, former IIA chair and current COSO chair, summarizes based on the specific definitions of each type of control:
“When facing cyber risks, ‘reasonable assurance’ is not sufficient. ICFR with reasonable assurance was not designed to provide ‘as close to absolute assurance as possible.’ Lessons learned from designing industrial control systems can provide that assurance. Also, dynamic methods of managing risk are needed to survive in the fierce world of cyberattacks.”
Wonder Woman’s False Sense of Security
Wonder Woman embraced the unassuming Sir Patrick. His demeanor gave her reasonable assurance that he couldn’t be Ares. Diana was wrong.
For cyber pros, chasing the wrong types of controls is life on a gerbil wheel – high risk, little business impact, monster spend and unfulfilling.
Another false sense of security and blind spot was Diana’s “god killer” sword. It slew Ludendorff, but Ares casually destroyed it.
The misapplication of ICFR-style controls is a formal root cause of breaches, waste and pain. It warrants fixing with safer solutions.
- Cyber is a system so apply systems thinking.
- If you are already applying “systems engineering” that’s good.
- But too much of systems engineering for cyber is narrowly focused on either 1) bringing security into app dev or 2) knitting together piece-part security tools. It doesn’t include the full scope of the system.
- It needs a more scientifically accurate view of a system – where anything with a causal impact is part of the system.
- Power-up cybersecurity and drive better business outcomes. Apply design thinking – the vanguard of cybersecurity.
- Design thinking for cybersecurity takes proven and practical critical thinking and systems thinking and adds a designer’s lens.
- This lens brings practical benefits such as 1) challenging the accuracy of preconceived views – just like Wonder Woman did – and 2) simplifying complexity
- Eliminate futile ICFR-style controls for cybersecurity
- Fix ICFR-style controls that are helpful, such as IT systems hygiene. But realize 1) they lack mathematical reliability of automated controls, 2) cost is excessive and 3) they can distract from safer actions.
- Focus on automated-style controls that work like IT systems reliability and engineering
- Outthink cyberwarfare enemies – embrace robust scenario analysis. Ask, “Would the scenarios make a good film?” (See The Operational Risk Handbook for more scenario workshops)
Here is a key challenge… the struggle to change has been researched since Plato, Aristotle and Thucydides, even in life-threatening situations. Organizational mass and inertia resist change. Overcoming requires a catalyst.
Surprise – the catalyst for improvement is you!
Let’s finish our walk in the woods. As a cyber pro, compare your view to the ecologist who sees the wood’s ecosystem and the businessperson who sees its financial value. Individually, each specialist is limited to one’s discipline and biases. You miss the 3-D view. You expand your influence and impact by seeing what others miss.
Making Change Easier
- Reframe to clarify the real problem. Symptoms often mislead – discover alternative diagnoses, think differently. View cybersecurity as a system – the whole is greater than the sum of its parts.
- Address “hardwired” resistance. Have powerful but safe conversations and factor different perspectives to find root causes. Offer choices and reasons for change.
- Design the shortest path to an ideal future
Find accelerants – a transformation leader, an innovation/design lab or a professional coaching program. Why aren’t cyber pros coached and invited to such labs? Primarily because cyber isn’t viewed as value-creating.
It’s worth its weight in palladium to partner with coaches and innovators to generate the gift of value.
Design thinking, including envisioning alternative futures, is powerful. Facing cyberwarfare, consider five futures:
- Same cybersecurity methods, no change – worst future
- Same methods, more money and run faster – degraded future
- Minor improvements, more money and run faster – static future
- Cutting and/or fixing ICFR-style controls, onetime spend, improved operations – better future
- Fully fixing ICFR-style controls, applying automated controls, and shifting to a systems and psychology approach – best future
Which one would you pick?
- ICFR wasn’t designed for cybersecurity
- The opportunity cost of inaction is very high
- Valuable change is based on critical thinking, systems thinking and psychology – combined and applied by design thinking
- Your personal opportunity – generate the gift of value
Just like Wonder Woman and creative disciplines, design thinking has much to offer cyber to catalyze change.
Note: This article was adapted from Brian Barnier & Prachee Kale (2020) CYBERSECURITY: THE ENDGAME – PART ONE, EDPACS, Taylor & Francis
Disclaimer: Views expressed by the authors are their own and not necessarily those of their employers.