Why Resilience Fails - Part One

There are lots of ways that security fails but we should consider the broader issue of resilience. The news is full of evidence that security fails and everyone accepts that security fails and will fail as attacks become more sophisticated. So the focus on resilience and the ability to withstand and survive a breach is now getting more attention and rightly so. But this adds new challenges and more pressures on budgets, for firms that have to decide how to do resilience or incident response.
We spend a lot of time conducting red team exercises and war games and in every case without exception, depending on the nature of the attack scenario of a war game, resilience fails.
In most cases the causes of failure fall into five areas that should keep security teams awake at night. As the threat landscape shifts on a daily basis, firms question their evolving awareness of threats, and their self- awareness should point them towards the nature of their vulnerabilities. Everyone has them.
This in turn should lead firms to question whether they are prepared for what today will bring with a solid security controls framework that works. But when they face a breach, their plans will face the ‘real-world’ test and everyone hopes that they got their doctrinal planning right  - even if their actual response to the problem does not go exactly according to the detail of their plans. And when security fails, and their incident response, crisis management, and business continuity plans need to deliver resilience.
When resilience fails, we need to learn the lessons, and we could look to these five areas. But I prefer to look at it slightly differently. Failure can be described in three different ways.
Points of Failure, will look at what failed whether that is a specific ‘domain’ or specific capability planning around those domains.
Modes of Failure will look at how it failed: technology in itself can fall short of our expectations, often because of the failure of processes that are supposed to keep that technology effective. But processes in their own right describe how things are to happen and failure often stems from things not happening the way they are supposed to. Management failure can cover a plethora of failings that can be traced back to the functions of either the management process, or managers themselves.
Characteristics of Failure will look at why it failed, and it is potentially the hardest question to ask of an organisation. What characterised their failure.
When we look to the real reasons why resilience fails is often comes down to how the organisation deals with ‘the unexpected’, or how it functions under pressure of a breach and here we can look at very human issues:
  • Failure in Recognition:  Not recognizing the problem, its symptoms or causes and differentiating between the two, not recognising the scope of the problem for what it is and what is is likely to be or what is could be now, or in a couple of hours time.
  • Failure in Interpretation: Not interpreting correctly what should have been recognised, analyzed, or correlated with threat intelligence, reality, or conflicting signals.
  • Failure in Decision Making: There are decisions that were not taken, the wrong decisions that were taken, decisions taken for the wrong reasons, at the wrong times, and so on.
  • Failure in Action: Even after decision are taken there are often failures attributed to their ‘actionability’ – so if the decisions were actionable, were they actioned fully correctly, in a timely fashion.
If we were going to deep-dive all the different and specific underlying reasons for failure, I always find organisational and managerial problems that ultimately mean that things were wrong from the start, that resilience was never likely to work, was never understood, never fully supported and funded properly, never planned or developed properly, or never implemented properly.
So why is resilience so difficult? Well….. no one should have suggested that resilience is easy!

In Why Resilience Fails - Part Two I will explore why resilience is difficult and what you can do to improve.
For more information about Maturity and Cyber Readiness Assessments visit http://www.optimalrisk.com/Information-Risk-Security-Consulting/Cyber-Readiness-Services
Posted: 5 May 2015 by Optimal Risk Admin | with 0 comments
Filed under: cyber, incident, resilience, response, security