• tl;dr sec
  • Posts
  • Systems Thinking for Cybersecurity Professionals

Systems Thinking for Cybersecurity Professionals

Let's hit RESET!

Author

Laksh Raghavan
November 13, 2024

Editor’s note: I’m thrilled to share a new guest post by my friend Laksh Raghavan. I’ve known Laksh for years, and he has great insights from over 23 years of cybersecurity experience as a practitioner and a consultant at Fortune 500 companies across the globe. He is now the Founder of Cyb3rSyn Labs, which is focused on promoting multidisciplinary thinking for technologists. Enjoy! -Clint

TL;DR:

The blog post introduces systems thinking as a lens for cybersecurity professionals. It recommends that we view organizations as complex adaptive systems with purposeful actors and calls for a multidisciplinary approach to dissolve today’s dominant cybersecurity problems.

Introduction

Most cybersecurity problems have known solutions. Take credential theft via phishing attacks for example... We know that FIDO Keys are effective at defending against them.

The real issue is not that we don't know "WHAT" to do. The challenge in the trenches has always been in the "HOW"!

How do I roll out FIDO keys within MY organization - with our budget constraints, prioritization conflicts, organizational design, legacy baggage, proprietary technology stack, etc.?

Unfortunately, cybersecurity is a niche specialization today. But the answers to our questions lie in other disciplines. Backed by multiple years of theory-backed experimentation in the trenches, I’m calling for a multidisciplinary approach to cybersecurity.

The cybersecurity approaches of today are violating many fundamental insights and first principles from other fields - starting from human nature (psychology), complexity, systems thinking, ergodicity, cybernetics and more. 

When these insights, principles and heuristics are taken seriously, our approach to cybersecurity completely changes from the mainstream approaches. We can then figure out a new “how.” 

This post discusses insights from systems thinking, using real-life examples, and explores what they mean for the field of cybersecurity.

"If A is narrow professional doctrine and B consists of the big, extra-useful concepts from other disciplines, then clearly the professional possessing A plus B will usually be better off than the poor possessor of A alone. How could it be otherwise?"

- Charlie Munger

Systems Thinking

When it comes to leadership in tech firms, a true ‘emperor has no clothes’ situation is in the application, or lack thereof, of Systems Thinking. 

I’m not asking for something new. All modern “ways of working” call for the application of systems thinking.

For example, DevOps calls it "the first way". LeSS wants us to “Apply Systems Thinking.” But, the reality is that very few leaders and entrepreneurs understand what that really means. We are all caught up in methods (that specify “what” to do), but don’t know the “how” and more importantly the “why.” There is so much talk about first-principles thinking, but none applied when it comes to organizing humans with a common purpose.

“As to methods there may be a million and then some, but principles are few. The man who grasps principles can successfully select his own methods. The man who tries methods, ignoring principles, is sure to have trouble.”

- Harrington Emerson

The post will not attempt to explain what systems thinking is as there are multiple traditions. But, I highly recommend the books of Dr. Mike C Jackson for the curious. Here is the link to his latest book, ‘Critical Systems Thinking: A Practitioner's Guide’ in which he explores and critiques the best-known systems methodologies. I highly recommend it to people who want to understand the potential of systems thinking and use it in their day-to-day work.

Every decision we make has both intended and unintended consequences. Overlooking feedback loops and neglecting interactions and interdependencies can lead to outcomes that are completely contrary to our original intentions.

This is sometimes called the “cobra effect”. The economist Horst Siebert coined this term from a story originating in the British Raj. To tackle the venomous cobra problem in Delhi, the British government introduced a bounty for each dead cobra. At first, this approach seemed effective, as many snakes were killed for the reward. However, the situation took a turn when people started breeding cobras to earn money. Once the government discovered this, they ended the reward program. As a result, the breeders released their cobras, ultimately increasing the wild cobra population.

I will now take the lens of systemic thinking and explore how the cybersecurity industry has created our own ‘cobra effect’ with our attempts to solve phishing attacks. But first, let me set the stage by discussing the four different ways we can treat a problem as put forward by the systems thinker, Russell Ackoff:

Absolution: Ignore the problem and hope it will solve itself or go away. Parents who have dealt with kids fighting with each other know what I’m talking about.

Resolution: This approach seeks to find a solution that is "good enough" or satisfactory. It aims to address the problem in a way that meets the minimum requirements or alleviates the most pressing symptoms, but it may not be the optimal or most sustainable solution. Uses experience, common sense, qualitative judgment – a clinical, humanistic approach.

Solution: This involves finding the best possible solution to the problem within the current constraints. It requires a deeper understanding of the problem's root causes and a thorough evaluation of different options to identify the most effective and efficient course of action. Uses scientific research, experimentation, quantitative analysis, and optimizing techniques.

Dissolution: Redesign the system that has the problem or its environment in such a way to completely eliminate the problem. Dissolution may incorporate all the other ways of treating problems.

- Russell Ackoff

Dissolution is generally regarded as the best approach to treating any problem. In this approach, we typically don’t see and solve the problems where we find them - in a silo, within the system boundary of a department or an organization. Dissolution attempts to completely eliminate the problem by changing the environment of the system in question.

It nudges us to carefully consider our system boundary and values. It invites us to explore the environment to see if something could be changed there to completely eliminate the problem within the system (or if something could get harmed - e.g. environmental pollution).

(Note: Before we proceed further, I’d like to call out a typical trap that most new systems thinkers fall prey to. Once exposed to the ideas, they think that they can now see the “whole” system - but, there is not one representation of what a “system” really means. The meaning can change depending on who the observer is. My narrow view of what a system should do and what the outcomes should be, may not align with another participant’s perspective - each of us have our own perspectives and cultural nuances. The antidote was poetically articulated by the systems thinker, C West Churchman: a systems approach begins when first you see the world through the eyes of another.)

Phishing Attacks

Phishing attacks are a problem that any organization has to solve for - for its customers and also employees. Expanding the system boundary makes one consider the environment of the organization - the larger Internet and email ecosystem, device manufacturers, browser vendors, etc. so that we can attempt to modify it in such a way so that the problem is completely eliminated.

Let’s rewind the clock back to the early days of the world wide web. A huge percentage of the users didn’t have unique passwords or had simple easy-to-guess passwords. Over the years, as credential stuffing and phishing attacks increased, organizations began asking their customers to pick complex & unique passwords and added in the complexity of managing “one-time” codes via authenticator apps and SMS messages.

SMS-based one-time code was then considered to be a cybersecurity “best practice”. The hypothesis was that you can build a strong authentication when you rely on two factors: what you know (password) + what you have (your mobile phone). It kinda made sense - even if your password is compromised, the attacker can’t steal your mobile phone and so the customer’s account remains secure.

For the sake of this post, let’s ignore the inherent vulnerabilities of the SS7 infrastructure that underpins mobile networks and the fact that attackers can and did quickly evolve their phishing kits to ask for the SMS code in addition to the password.

What’s good for the individual (website) may not be good for the collective. Could broad adoption of SMS based codes by prominent websites negatively impact our customers’ security? With the passage of time, we now have the answer!

Attackers have realized how valuable your mobile number has become. It is not enough to simply raise the cost/risk of an attack - compromising a mobile number in this case. The return on investment for the attacker has also gone up exponentially. So, fraudsters have now resorted to what’s called a SIM SWAP scam.

If they can compromise your email password and then use it to identify and hijack your mobile number, they can get the SMS codes for all the websites and online services you use.

As in the cobra effect, the overall net negative impact on customers has now worsened over time - if our customers’ phone number is compromised, they not only lose the credentials of just one website, but also their brokerage accounts, retirement accounts, bank accounts, social security number, etc.

But, here is the good news! We are error correcting… SMS-based OTP is not a “best practice” anymore as the world slowly moves towards non-phishable credentials like FIDO Keys and Passkeys. How can attackers steal the password if it doesn’t exist in the first place!

The FIDO Alliance is an awesome example of how a few intuitive systems thinkers expanded their system boundary and moved beyond traditional organizational boundaries to dissolve the problem with passwords.

TL;DR:

Solutions: Password complexity/rotation, SMS 2FA, TOTP, etc.
Dissolution: Non-phishable credentials

Vulnerability Management

The insights from systems thinking can be applied to internal organizational context as well. 

Let’s now look at traditional "vulnerability management" (including application layer vulnerabilities) from this lens and make the case for a synergistic approach to dissolve problems instead of solving them.

If you try to solve a "problem" where you found it, in most cases you might actually end up making the system worse. Problems are just abstractions - they exist only inside our heads. No problem lies in isolation in a complex system - they are all deeply interconnected and we must learn to see in the context where there are multiple such “problems” in action.

When a CISO says that vulnerability management is “broken” in an organization, that’s just the perspective from the cybersecurity team. 

When you start peeling the proverbial onion, you’ll notice that what’s really “broken” (or non-existent) is one or more of the following: Asset Mgmt. (Inventory), Config Mgmt., OS Image Mgmt., Automation, Legacy apps that can’t handle automated patching & reboot, etc. in a complex web of interdependencies with so many other variables like budget, profit, promotions, headcount, engagement, etc.

Vulnerability management is not the only thing that’s “broken” - there are many other related and underlying factors that are also broken. Poor security is not a problem. It is merely a symptom that emerges from the underlying engineering practices.

There is simply no way to sustainably improve security in isolation. Simply scanning and reporting vulnerabilities on a fancy dashboard, the approach of traditional vulnerability management is flawed. It places way too much emphasis on output variables like ‘count of vulnerabilities.’

Instead of asking developers and engineering partners to fix individual instances of vulnerabilities, cybersecurity professionals must collaborate with them to focus on the input variables by building systemic and structural uplift to foundational capabilities like asset inventory. Let security be the rising tide that lifts all boats!

If your “root cause” analysis points to a developer making a mistake, then you are headed in the wrong direction. Our job is to prevent them from shooting themselves in the foot. 

Apart from building foundational capabilities, here are some common ‘secure-by-default’ system-wide fixes for product security:

  • Framework Security Controls for vulnerabilities like CSRF, XSS, SQL Injection, etc.

  • CI/CD pipeline guardrails

  • Deprecating insecure APIs, languages, frameworks

TL;DR:

Don’t play “whack-a-mole” with vulnerabilities. Treat them as symptoms and collaborate with engineering stakeholders on eliminating the underlying conditions that enabled them in the first place.

Call to action

We can’t fix software security in isolation without fixing the underlying software development practices. And that in turn depends on many things but a powerful factor is the underlying management systems in place. Changing those management systems can’t happen without the existing leaders changing their minds, unlearning and relearning new ways of working.

Today’s mainstream management suffers from reductionism and systemic thinking is the antidote. Performance of the system is never the sum of the performance of its parts taken separately, but it's a product of their interactions. But today, there is way too much emphasis on improving the parts without focusing on the interactions and feedback loops…

Innovation is seen as just technological innovation showcased by open sourcing specific scanners and tools. But, what’s needed is innovation in management systems.

What needs open sourcing is not just code - but “operating system” too. I don’t mean the Mac or Windows OS - but, the organizational operating system - a “model” from the point of view of a regulator of the system.

Here is my call to action for all CxOs! Open source your organizational operating system - principles, organizational design, processes, policies, etc. Talk to the world proudly about how your employees interact - how the various teams and departments come together to craft a product. Take pride in not just what you build, but also how you build. Show the world how not to play zero-sum games!

The first step in solving security problems is to acknowledge that there are security problems.

The first step in dissolving security problems is to realize that there are no “security” problems.

If you are looking for inspiration to get you started, here is ‘Shape up’!

Let’s hit RESET! Let’s step back and think about how we think! At the minimum, let’s get a meta-conversation going about our current management practices and principles.

If you’d like to receive similar multidisciplinary insights that help improve the effectiveness of cybersecurity practitioners, executives and entrepreneurs, please subscribe to the Cyb3rSyn Newsletter.