Predicting future security challenges is hard.
It involves anticipation and imagination. How will emerging technologies be used by entrepreneurs and businesses to change systems and infrastructures? And conversely, how will adversaries exploit the new opportunities and attack surfaces.
It is not just about the arms race between attackers and defenders. From geopolitics to the marketplace, digitalization will be highly contested. There will be battles for access, privacy, sovereignty, control, commercial rights and more.
There are multiple perspectives, and much can be learnt by considering the views, incentives and time horizons of governments, venture capitalists, large technology players, and security consuming enterprises.
But many of these perspectives are collective views. They hide the trade-offs and barriers that individuals all face as they construct their points of view or make security decisions.
Taking account of all the above is very difficult.
Although the security industry is often portrayed as changing quickly, some technologies take years to bring to market and will exist in the field for even longer. So, it really pays to anticipate long term cyber resilience requirements. I am used to doing this through a mixture of engaging with different stakeholders, sharing visions and assumptions, showing new security technology ideas and iterating on feedback.
I recently had the opportunity to take a very different approach. Specifically, inspired by the futures thinking research of RISCs, I used creative writing to explore and enhance my knowledge of the way security information flows between stakeholders. The result is the story “Bringing rigour to security: how hard could that be?”.
Now would be a good time to read it before finishing this piece, so you can judge it without knowing more of the context and intention that went into it.
A good story centres on problem solving of some kind, and the problem I was focused on was how vendors (like HP) can signal and explain the merits of their security solutions. Obviously, we can make marketing claims, but the security market is highly contested so why should one company’s narrative be trusted above others? Or, more broadly, how does the market decide what good security looks like?
Part of the answer lies with 3rd party assessments and certifications. But this is a challenging solution as good assessments take considerable time and skill. So, in a fast-changing technical environment, how do we distinguish good assessors and good assessments?
This scaling of good 3rd party assessment is a problem that technical authorities like the NCSC have paid attention to. They have developed principle-based assurance (PBA), a flexible methodology that involves making and substantiating claims for ‘good’ security properties:
- Principles Based Assurance (PBA) – NCSC.GOV.UK
- Making Principles Based Assurance a reality – NCSC.GOV.UK
- Read the RISCS Assurance by Principle Report December 2023
This approach is relatively new and being piloted and shared for feedback, and so provided motivation and context for the anticipation problem I wanted to explore in the story.
To get started I thought about some of the stakeholders and people involved in making security investment decisions. To narrow the scope, I focused on an enterprise customer (as opposed to a vendor, a regulator or a consumer). The customer has multiple people affecting security, but I chose to focus on the CISO and a newcomer with relevant finance skills. We get to see some of the problems of security investment decisions through his eyes.
I have known and met several CISOs and accountants, and my characters are not based on any of them. Instead, I imagined and documented what they were like as people, and then put them in what I think are typical situations and interactions with security related 3rd parties. Then I rendered how I thought they’d react and introspect.
I won’t interpret my own story, but I think the result expresses more than I could have said directly about the nuances of security influence and information flows – now and into the future. It also helped develop my thoughts about the different levels and kinds of impact that industry analysts have compared with the deep technical experts providing certification.
The story was used as a pre-read for a roundtable on Principle Based Assurance that was organized by RISCS Director Genevieve Lively, RISCS Senior Fellow Matthew Spencer, and myself in the autumn of 2024. Hosted by HP, the roundtable included experts and leads on PBA from the NCSC as well as academics of different disciplines working on sociotechnical approaches to cyber security.
The rich mix of domain knowledge, experience and research disciplines was always going to be fruitful, and there were a lot of parallels between the story and the roundtable – including how to avoid disincentivizing security innovation, and how to get risk owners to really pay attention to risk (rather than ensure a box is ticked).
There was alignment across this group too that it would be valuable for social scientists to study and provide richer accounts of how security opinions and decisions are constructed and influenced. Some of the ideas were directly linked to the role narrative plays in forming security expectations.
As a final comment, I am interested to know if readers of the story find that it successfully ‘shows rather than tells’ a plausible perspective on the security market, and how it might compare with a more typical opinion piece essay. If you have any feedback, please let me know: contact-riscs@bristol.ac.uk
October 2024