An article for security professionals.
Mark J. Baudot, CISSP
We are often our own worst adversary. We sometimes allow for distractions and often make exceptions that cause us to de-prioritize security team mission objectives. As a result, during these times, we are unable to maintain an acute situational awareness (ASA) regarding security posture. In this context “acute situational awareness” is not just simply being aware, but pro-actively engaging your activities with situational awareness at the forefront of your priorities, thus enabling you to accomplish your mission objectives.
Take a moment to think about this hypothetical analogy for a moment. You, a cybersecurity professional very familiar with concepts such as “situational awareness”, are driving home from a long day at the office. It is a warm sunny day with few clouds in the sky. Just like blinking and breathing you have added driving to your repertoire of automatic skills. You are not really thinking about the act of driving. You are just driving as an act of habit. No skill needed here, eh? In fact, as sometimes happens, you will pass several intersections that you won’t even remember passing through. Tell me you haven’t done THAT before and I’ll laugh while your nose grows! Your mission? Simply put: Reach your destination safely.
While in this automatic mode. You are re-hashing the challenges of the day by giving deep thought to ironing out some minute detail of network cybersecurity policy that that loud manager from the revenue producing department has been giving you grief about. You are annoyed because of his claim that “The Cybersecurity Team always seems to get in the way of my organization’s ability to be able to maintain a high level of performance!” “Wow, ouch!”, You think to yourself. After all, you have cheerfully supported your organization’s efforts for years and now you’re being blasted.
Suddenly, the bright flash of red taillights brings you back to the here-and-now.
Your sin, of course, is that you were day dreaming. You allowed yourself to lose ASA on the bigger picture – your mission – reaching your destination safely. You allowed someone (or something) from outside your processes to affect your mode of operation. You slipped into autopilot mode, so to say.
Now consider this. Paying attention to what you are doing is only one of the many tools needed to complete your mission, but, arguably the most critical. You lost ASA because you allowed an external entity to de-prioritize your process of driving safely. You needed to maintain ASA. For this little feat to happen, you would have to regain control and consciously use your many driving skills but specifically prioritizing situational awareness in the context of the here-and-now, thus avoiding the diabolical error of autopilot mode.
The analysis seems obvious, plain and simple, doesn’t it?
Now, let’s talk security posture. Security Posture is defined by NIST Computer Security Resource Center as follows:
“The security status of an enterprise’s networks, information, and systems based on information assurance resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.”
And from that definition, consider the actions which allows us to shore-up the security posture of our organization: “…to manage the defense of the enterprise and to react as the situation changes.”. Hmm, ‘manage’ and ‘react’. These are activities which require ASA. A very conscious effort to keep the bigger picture – security posture – in mind. It is prioritizing the conscious effort which allows follow through on delivering the most secure network environment to the organization as can be delivered.
Beware though! As humans working the corporate grind, we are ALL susceptible to getting in to a ‘comfortable demeanor’ – just like our driving example above – regarding our mundane day to day activities and processes. As cybersecurity professionals it is prudent to practice maintaining an ASA and avoiding the nefarious ‘autopilot’ mode of operation. Yes, I said, “Practice!”. Maintaining ASA is a skill that takes practice, practice and more practice.
But, more importantly, that we individually maintain the ASA required to defend against autopilot mode is not enough. Security professionals need to expand that idea to an organizational level, and corporate level as security teams, by setting an example of ‘practicing’ active, consciousness and acute situational awareness during mundane day to day organizational processes before these suddenly become infected with bad habits or even complacency. As our driving analogy above demonstrates, one can be an excellent driver, can be driving a mechanically sound car, during the perfect driving conditions, but, if not acutely aware of our situation can lead to an event which may cause lots of grief. An incident that could have, more-often-than-not, easily been prevented.
So, here is a challenge for you. Identify a task or process within your organization that may be susceptible to situations that cause the security team to lose ASA. Does the process itself make allowances for ASA loss? Investigate circumstances that exploit that process’ vulnerability, thereby causing the process to ultimately be impotent or moot. Are the circumstances driven by internal or external threat actors which can be people or other processes? To give a couple of seemingly common examples: Are there recurring themes such as the old “The C-level wants this in place, so just get it done!” or the ever pressing, “Hurry up and meet this department’s request deadline!”? Both of which can distract from maintaining ASA, preventing the organization from consciously executing on its higher-level mission: “…to manage the defense of the enterprise and to react as the situation changes.” If you are on the leadership team, do you hear complaining about such distractions either directly or maybe in the form of on-going comments or jokes among staff members. These can all be indicators that the organization may have an opportunity to re-focus as to maintain its ASA.
Like any other bad habit, it will be hard to disrupt or eliminate. We are all aware that everyone resists change. Organizations usually don’t take kindly to abrupt disruptions to well established “priority shifting” edicts like the examples above. Also, it is very hard in most cases to challenge the repetitive, rudimentary and well established institutional bad habits as these may now be tribal wisdom of the corporate culture. These circumstances may (and probably do) directly or indirectly cause the security teams ability to maintain ASA to wane.
What to do? Privately and politely point out to your leadership your suspicion and concern regarding maintaining ASA. Explain what you believe to be the cause and the effect it has on ASA along with the effect it has on your ability to execute your role as a cybersecurity professional. If your assertion is valid, you may be surprised that leadership, both inside and outside of the cybersecurity organization, will be willing to work to resolve any circumstance, ASA or otherwise, that has an adverse effect on the organization’s security posture. And don’t just show up to raise the alarm. Bring a proposed solution to the conversation and demonstrate a willingness to help leadership develop, socialize and affect the solution to the advantage of enhancing and shoring up the organization’s security posture.
To find out more, please reach out to us at FutureComNews@fcltd.net or call 817-510-1126.