White Box Cybersecurity for Techies, Part 1

One of the Pythia Cyber founders introduced his novel way of describing our goal, "white box cybersecurity," in this post. But that post was aimed at management and this post and its follow up are aimed at technical people; cyber warriors and cyber defenders. The people in the cybersecurity trenches.

This post is the first of a pair. The second one is here. This first post explains what we mean by white box cybersecurity and black box cybersecurity. It also outlines why we think black box cybersecurity is bad for techies. That post explains why we say that white box cybersecurity is good for techies.

By "white box" he means the opposite of black box. A figurative black box is a something whose inner workings are unknown and perhaps a mystery. By analogy, a white box is something whose inner works are known and understood.

Black box cybersecurity therefore is what we call the all-too-common arrangement whereby management doesn't ask and IT Security and System Administration don't tell. This deal is dysfunctional is the sense that it works, but is not healthy. Management avoids thinking about cybersecurity and in return, management gives up any meaningful oversight or input into priorities, budgets and timelines. People doing the actual securing of cyber assets avoid management oversight but at a price: they take responsibility for anything and everything that happens in the cyber realm.

This arrangement is common because it allows people to avoid being uncomfortable and most people just love avoiding being uncomfortable. But avoiding issues is rarely a good way to deal with those issues, even if avoiding issues feels pretty great in the short term.

Pythia Cyber has often talked about how this arrangement is not a good idea for executives. Today let us consider how this arrangement is bad for the techies.

This seems counter-intuitive: how could a blank check ever be bad? Isn't it the techie dream to be free from having to explain technology to the ignorant, having to justify actions to uncomprehending, having to accept input from people who have no idea what you do?

This does sound pretty great in theory and, in practice, it is pretty great at first--like any good horror movie set-up. But then something goes wrong in the cyber realm. Anything, any little thing goes wrong. Even things that have nothing to do with you or your department. When something goes wrong the blank check morphs into a signed confession. You take the blame for whatever decisions were made, implicit or explicit. "I didn't know that" is all you hear from your managers. "Why did you do that?" also makes an appearance. "I never approved that" is another common response.

Hindsight is 20/20, but when looking someone else's decisions and choices hindsight becomes powerful enough to see distant galaxies. Suddenly every misstep leading up to whatever went wrong becomes blindingly obvious to everyone. How could you have been so careless, or foolish, or out-of-date?

Here is a truth techies rarely learn and are slow to acknowledge: In a well-run organization, oversight has benefits. Oversight spreads the burden of command. Oversight means that you get more input, more perspective and more experience to bear on your operations.

"But wait," I hear you say, "how many of the executives can help me configure a firewall or set up email filters or secure a web server?" None, presumably. However, there is a difference between oversight and micro-management. Can oversight by executives help you prioritize cyber assets for protection, or set up policies to define that protecting, or provide you with budget and people to do that protecting? Yes, this is literally their job. And it is literally not your job. You don't run the company, you run the cybersecurity program. Do your job and let them do theirs.

Don't fall into the trap of accepting responsibility without authority. Don't let your management off the hook. Communication with people outside of our domain is not as highly prized a skill as it should be, but it is skill that almost every successful cybersecurity program manager has. You can learn how to do this and Pythia Cyber can help.