Connect with us

Tech News

The cyber industry needs to accept it can’t eliminate risk

Published

on

From manifesto to material: What No. 10 needs to make reality

In the field of cybersecurity, there is a belief that we must hold ourselves to a higher standard of scrutiny than others. We are expected to be the benchmark of excellence – a level of perfectionism that is unattainable. So, what happens when a cybersecurity company makes a simple mistake?

CrowdStrike serves as a case study in this regard. I recall reading the technical report, and it was as ‘simple’ as adding an extra field to a template that caused everything to crash. However, I suspect this was not just a simple test case failure; it was likely a series of events that led to a significant global issue. This is often referred to as the Swiss cheese model, where a series of failures align, creating holes in the system that allow an incident to occur.

It is important to acknowledge that these incidents do happen because we can never completely eliminate risk in technology. By changing our perception of this fact, we can better prepare to handle future incidents effectively and understand the risks involved, no matter how unlikely they may seem.

Acknowledge the systemic nature of risks

The CrowdStrike outage raised an important question – have we become too reliant on technology companies that are interconnected in one large system?

We use centralized cloud and SaaS providers because the benefits often outweigh the risks. However, if a major provider experiences an incident, it could have far-reaching impacts on organizations that depend on their services.

This situation can create a “too big to fail” scenario, similar to the financial sector, where the failure of a key player could have cascading effects.

See also  I tried this ChatGPT competitor, now at an all-time low price for Cyber Week

While people are generally good at understanding personal risks, they struggle to grasp the larger systemic issues we face. It may be time to diversify our technology stacks and avoid putting all our eggs in one basket.

Zero risk is not achievable

It’s important to be realistic – we cannot eliminate all risks.

We need to focus on reducing risk to a reasonable, manageable level rather than striving for absolute perfection. There will always be some level of risk that needs to be addressed. The concept of As Low as Reasonably Practicable can be a helpful approach in managing risk effectively.

Be transparent about residual risks

It is crucial to be honest about the fact that some risks will remain even after mitigation efforts. Setting realistic expectations with stakeholders and senior management is key.

Transparency is essential in maintaining trust and preventing incidents. CrowdStrike handled their incident well by being open and clear in their communication with customers and stakeholders, providing constant updates and remediation advice. Organizations must find the right balance between keeping security measures simple and easy to implement, while also being transparent enough to manage risks effectively and maintain trust.

Trending