Cybersecurity For Business

By now you have at least read about, if not suffered through, the recent outages at Amazon Web Services (AWS) and Microsoft Azure. These are two of the Big Three providers of cloud computing, the other being Google Cloud.

My colleagues assure me that most of you do not want to read a crisp diatribe on the source of the service outages; they tell me that most of you only want to know that these were both calamities having to do with systems administration and configuration.

With great effort I will save the rant about DNS in specific and Network Administration in general for another time and place. But I won't resist the urge to revisit my favorite cybersecurity rant about how it is not a good idea to reduce cybersecurity to just defending computer systems against malicious attack.

What else would "cybersecurity" be, you ask? To be all nerdy about it, we at Pythia Cyber define cybersecurity as policy and procedure aimed at maximizing authorized access of digital assets while minimizing unauthorized access.

Having your digital assets disappear from view for many hours denies you access to them. Your lost productivity is just as great if the cause is NOT malicious attack. Human error and systems failure (either software bugs or hardware failure) both work very well to cause productivity loss. So far as we know, neither the AWS outage nor the Azure outage were caused by malicious attack. No one I know who was forced to twiddle their thumbs at their desk took any comfort in the motivations behind the outages; they just wanted to get back to work.

It is true that there are academic computer scientists who have the luxury of choosing to only think about malicious attack when they think about cybersecurity. It is true that there are groups within almost every government on earth who are tasked with either attacking or defending digital assets and these groups can also get away with this reductive definition of cybersecurity. Both of these groups care much more about data theft than data loss. (Yes, I know that sabotage is part of the cyber warfare package but that is beyond the scope of this post.)

Businesses cannot get away with simply choosing not to think about human errors and system failures. Pythia Cyber is a business and our clients are businesses (even the non-profits). Accidental file deletion and burst water mains are not the stuff of TV or film plots, but they happen and they hurt your bottom line. The uncool stuff costs you time and money.

In our tems, the uncool stuff can stop or impede authorized access and it can allow or facilitate unauthorized access. As a technology leader you cannot afford to ignore this facet of cybersecurity because it complicates managing up and it complicates managing down.

As for managing up, you need to get your peers on board with unsexy, time-consuming and potentially expensive programs to ensure that your systems stay up: backing up, restoring, managed configuring, you have a legitimate interest in them all. Might this legitimate interest look like a power grab? Yes, but you need to make the case that it is not a power grab.

As for managing down, you need to get your reports on board with treating systems administration and configuration with the same care that your cyber defenders use in defending against malice.Might this legitimate interest look like sticking your nose where it does not belong? Yes, but you need to find the common ground so that IT Ops and Cybersecurity work together for the benefit of all.

Often this overlap is easier to manage in small organizations because there is only one IT department in charge of both of these functions. Often this overlap is harder to manage in large organizations which unintentionally pit IT Ops against Cybersecurity in competition for resources.

Are you not sure that you have set the IT priorities appropriately? Are you having trouble balancing IT Ops and Cybersecurity? Don't be shy: outside perspective is only available on the outside. Pythia Cyber can help.