Archive 8 min read

Organizational Design and OT Risk

Sometimes the digital world has an impact on the real world...and it's not always a positive one.

Organizational Design and OT Risk

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Morning. How's everyone doing today? Um A lot of interesting things kind of happened yesterday. Um A couple of things kind of blew up um on the uh side of Facebook and Cambridge Analytica. Um Let me just double check the levels here. Cool. Alright, so um yes, weird, totally weird.

Well, not weird but um disappointing I would say in that Alex Stamos at Facebook um is shifting his roles away. Um He is no longer going to be the CSO there. He is shifting that um set of responsibilities and the team over to infrastructure services and such.

Um interesting note in the New York Times article that covered it was that his departure for August, um which he had said, you know, he's still working at Facebook, um still, you know, focusing on election fraud and things like that. Um But I don't think those are two incompatible statements.

I think he may end up still leaving in August. Um That's disappointing, Alex is one of the best in the field. Um And for him not to be able to have an impact or influence the scale that he felt appropriate, really says something about C Os in general.

Um And I think that kind of ties to some stuff that I was talking about last year. Um And I think I'll be talking a lot about more this year. So, um last year and the year before I talked about security teams and organizational design, whether they were set up for success or for failure.

Um And I think that's really um interesting in that. A lot of people just kind of go blindly about their day in security going like, yeah, you know, I'm working on solving perimeter issue. I'm running IP S I'm running a firewall, I'm, you know, doing incident response.

Um But really that's all firefighting stuff, right? Um It's not really getting ahead of the curve and that's really generally the challenge we have in security um is that we're always fighting fires, we're never actually teaching people fire safety. Um And I think it's an organizational design problem.

You take all the people who are experts in security and you put them in a team on their own away from the business. Um Not talking to the business, not helping them develop better solutions, better, um problem or solving problems in a more efficient manner, building security and privacy.

And from day one, so of course, if they are going to be effective, they are going to have to spend all their time in meetings and not actually do any work, which is not the way you want. Go it's not sort of how you wanna run your team.

Um, and then the flip side is, you know, uh, or they, they can't communicate, they can't have the political will or influence. So they end up building these strong parameters because it's the only thing they can control. Um, and that's really what we have and that's sort of been now codified as best practice.

And I think that's a stop gap measure. I think that's the best sort of acquiescent uh acquiescence or acquiescing. Jeez, I feel like it's Monday, right? It's Tuesday, unfortunately. Um, it's like, you know, you are acquiescing to the, the situation. You're saying I can't move this mountain.

I'm going to just dig my little trench here. I'm going to build my wall. Um, and that's not nearly what we, that's not what we need to be doing in this day and age. And I think, um, Alex Stamos departure from his main role of Facebook previously from Yahoo.

And you may think, oh man, that, that is not very good. No, he's one of the best in the field, which is why he's tackling these major problems. And it's unfortunate that, you know, someone as good as him has not been able to have the impact um, at these firms that you would expect.

And I think for me that's really, um, uh the reason the core root cause there is because the teams are not set up for success. It's not you cannot build up a massive security department and say, hey, we're going to have security because we've invested a huge amount into it, invest a huge amount into security, but it needs to be built into the fabric of everything else.

You need to be out there educating um teaching people. And it's funny because in the background you can kind of see um some of the notes I have, I actually have a couple of notes for uh future videos, like formal videos. And it's um you know, I lost my phone now what that was from my friends experience.

Um and then uh learn more about getting into cybersecurity because I've had some great response to the work I've done there. Um And I think people are really interested, but the challenge I have in giving that kind of advice about getting into cybersecurity is I don't really believe you should be getting into the existing set of cybersecurity roles because I don't think they are effective.

I think there is far better ways to do this to get closer to actually getting the job done and I hope we can get there. Um That's probably going to be the majority of my appearances in security conferences this year and next year is talking about organizational design, talking about better ways to do it.

And that and operational technologies was kind of bridges to my next um topic, um which is uh uh unfortunately, there was a fatality yesterday. Um from an Uber vehicle. Uh it was in um Arizona and Arizona has been quite at the forefront of cars allowing self driving cars and self driving freight um tests.

And it's unfortunate that there was a fatality yesterday. The details are still coming through, but apparently there was a human driver in the car, but the car was on autonomous mode, um which uh means there's going to be a ton of data to analyze and figure out what went wrong and driving in a city is an extremely difficult problem to tackle.

And there's so many, so many variables, but this comes back to a theme that I talked to South by boat at South by Southwest. And that I have talked about a few internal events for various companies around the world is that when we are dealing with operational technology, so essentially not in it.

Information technologies is, you know what we're used to with every day, we are typing up documents, we are making data, we are processing information ot operational technologies, have a real world component, health care devices, robots, autonomous vehicles, you know, it is the heavy duty side of, of IOT.

Um So, you know, autonomous vehicles fall under ot and here it's very different um scenario as far as um what's going on um or from a security perspective because, you know, there's zero risk tolerance. Um Whereas, you know, the example I give is if you're running a business online.

Um, and you're sitting there and saying, ok, I've got, um, you know, I'm making $10,000 an hour or making a million dollars a year on my website as a business. And I can afford to defend that business up to a million plus or something like that, you know, to defend my reputation and things like that.

But there's a very definitive line, I'm not going to spend more on security than what the data or the income is worth because why would you, why would you spend $10 million to protect a million dollars? It doesn't seem to make any sense.

You're losing it money that way when it comes to operational technologies, that risk equation completely changes. You're not willing to take that risk because now you've gone from saying I'm making money and I can, you know, there's a line in which is no longer profitable to, I'm defending human life, right?

Or I'm interacting with the real world and human life or environmental damage is at risk. I'm not going to accept any of those, um, any damage there or any issues, there is a zero risk to. So now your security equation changes, you're far more willing to pay for extraordinary measures that you wouldn't be able to protect your website.

And I think most people agree with that. Um So when it comes to autonomous vehicles, like, unfortunately, the one that had a fatality the other day yesterday in Arizona, um, that's going to be picked apart because it is a zero tolerance scenario. You are not going to allow vehicles, you know?

Ok, a bug, I, I'm cool with bugs because you know what bugs are only going to kill one in 1000 people. No, it's one thing if you say, you know, one in 1000 systems are gonna have to reboot and at the worst case scenario you lose your browsing history or that draft of a document.

Um It's to say one in 1000 people are going to get hurt. It's a completely unacceptable metric. So it's a, it's a shift in the threat and risk analysis. So I'm giving a couple talks upcoming that kind of bridges from what I talked last week at South by Southwest, I've got a couple that I'm looking to schedule over the next few months on the security side.

So going deeper than I did at South by Southwest. But also I am looking to play, start talking in a couple more conferences around the same level of South by Southwest. So much higher view of the situation. And so people are just aware of the challenges there.

Um because I think that's really important, so sort of double tackling a risk there, a risk in the organizational design. Um Not sure where I'm going with this stuff today, but lots on the plate to catch up from uh from being away last week.

And uh not being on the ball so much in the last couple of days because it just recovering from that and getting it back adjusted. So, anyway, unfortunate, um, that, that uh, very unfortunate and tragic uh with the death in Arizona. Um, and my heart goes out to that person in the family.

Um You know, it's, it's, I don't even know what to say that. It's, it's unfortunate, it's tragic. There's no other way to look around it. Um Thankfully all the testing has been paused. Um So we'll see what it is, but it is a wake up call, I think for engineering, it's a wake up call for security to say, hey, there's real stakes here and I think that's, that's a key takeaway for a lot of people in operational technologies that it is not like it where you can, uh We'll patch it, we'll fix it, you know.

So what if that game doesn't work properly? We'll just patched again. Um You can't pick patch or fix um Real world damage. So hopefully there are um real steps forward taken as a result of this tragedy. Um But we'll see and uh I, I wish I had a happier note um to uh to, to end this on.

Um I don't know where to go from there. Uh Hopefully, you know, somebody's got a good cat video or something where we can, uh we can pass that around. Um, or I saw on Facebook the other day, a friend of mine had passed along of, uh, it was just this absolutely adorable puppy going, you know, exercise is good for you and you just have this paw on the, uh, on the treadmill and just doing this was, that was his exercise.

And I think, uh, that was something positive. Um, anyway, search around for some jokes, maybe. Find something to cheer you up. Didn't mean for this to go so sad. Um, but I hope you have a good Tuesday and I'll talk to you guys tomorrow.

Read next