The Art of Cybersecurity

Mona Lisa Digitally Restored and Color BalancedI love the phrase "more art than science" because I feel that only pure science is "science" in the popular sense of "following clearly defined rules and therefore providing clear, reliable answers."

There is a similar issue with logic and mathematics; if you can somehow cram a topic into either one of these containers then whatever ridiculously wrong conclusions you come to are given instant credibility. For example, this old chestnut:

All apes are hairy. All men are hairy. Therefor all men are apes.

This seems logical, but it isn't logical and it certainly isn't true.

So it is with cybersecurity:

Cybersecurity is about access to computer technology. Technology is science. Therefore cybersecurity is a science.

Cybersecurity is about human beings interacting with computer technology. Human beings are inconsistent and capable of ignoring reason and of using terrible judgement. Therefore cybersecurity is most definitely not purely a science. If you prefer, each of behaviorial awareness and technical understanding are necessary but not sufficient conditions for good cybersecurity.

Cybersecurity may be more science than art, but it isn't a science. It isn't a science. Really, it isn't.

An obvious example of this is the question of cloud backup. This is a topic about which I hear hilariously different takes from competent, seasoned professionals. Why? Because these competent, seasoned professionals are operating in different cultural contexts, which makes them differ in their value judgments. Who is right? Often both sides are. Not very science-like, is it?

To Cloud, Or Not To Cloud?

Start with the first question: should your organization even trust the cloud?

Pro Cloud

Obviously you should trust the cloud. The cloud providers have better engineers than you do, better equipment and economy of scale on their side. They can prove that they have taken all reasonable precautions. You cannot complete.

Anti Cloud

Of course you should not trust the cloud. You don't know who they have working for them, but you do know that every major hacking group in the world, both governmental and criminal, are gunning for them. Why put yourself in the middle of that mess?

Cloud Backup?

If you do decide that you can trust the cloud, what do you trust it with? A common use is backing up: either using the cloud as archive or as a remote backup.

Pro Cloud Backup

Obviously you should have the cloud as part of your backup strategy. The cloud is the modern equivalent of the off-site backups of yore, except that you don't have to rent, secure and monitor a separate physical facility. Someone else does all that for you.

Anti Cloud Backup

Of course you should not park your data in the cloud, even if you trust it to do your computing for you. That is bonkers, to give up complete control of who accesses your data. All it takes is one bad apple administrator and you are totally compromised.

Cloud Computing?

The cloud is more than a storage facility, it is also a computing resource. A common use is running your public-facing web presence.

Pro Cloud Computing

With virtual machines and on-demand capacity increases, moving at least your public-facing web presence to the cloud is a no-brainer. It is easily and faster to spin up, it runs faster and that capacity can grow with demand. Why would you spend precious money and precious human attention on what is now a commodity? You will have a better experience for less and time and money.

Anti Cloud Computing

The reputational risk of having your public image in someone else's hands is insane. If your cloud provider has a problem then you wink out of existence as far as the public is concerned, which is a huge blow these days. Does it happen often? No. Does it happen? Yes. Even if you trust the cloud to hold your archives, to which you rarely need access, don't trust it to be your public face.

The Art Part

None of these positions is exaggerated for effect: all of these positions are positions I know reasonable people to hold. What is the right answer? There is no right answer. The facts are not in dispute, only the value judgments your particular situation demands.

For Pythia Cyber, our public-facing web presence is not a retail resource. For the us, the trade-off was easy: using a cloud service because it was easy to build and relatively cheap to run. There isn't much of a security dimension.

What should your organization do with respect to cloud computing and cloud storage? You should go through the business case with an eye on your Cybersecurity Program (CSP). You should do what you would do with any digital asset decision: lead with the main mission but cover the cybersecurity bases. There is no silver bullet, so magic incantation, no way around balancing the art and science.

This is hard. We can help. Ask us how.

Comments