Evolution of Cybersecurity Communities
Author: Kim Watson
September 2019
I have been in cybersecurity and its predecessor fields for 30+ years, and started my foray into security automation sometime around the year 2000. Over this time period, I have noticed an evolution in the cybersecurity communities I have engaged with...
Looking back, I realize that these communities matured in stages. These stages, and the transitions between them occurred as: the field of cybersecurity matured, relationships between organizations became more interdependent, practitioner leadership roles shifted, and the community perspective broadened. This article provides insight into the stages of community and it highlights some strategies to get us to a place where ideas like collective defense may become a possibility.
Stages of Cybersecurity Community
We participate in community because it offers us something that we value/desire. We are willing to meet the expectations and we trust that if we do our part then the community will deliver appropriate results.
The stages of community reflect a growth in expectations, returns, and required trust. Our role is more evolved and what we gain is more substantial, and we often become more dependent upon each other. Not all communities need to advance through all the stages to be effective. It really depends on the purpose of the community. As we mature our perspectives on cybersecurity and try to establish partnerships and complex relationships, we need to understand the underlying foundations of trust and expectations so we can establish and nurture an environment where the community can thrive at a more advanced stage.
Stage 1: Guidance
Purpose: To advance the state of cybersecurity.
Expectation: Participants were expected to contribute to the body of knowledge; to help define and implement best practices.
Return: In return, participants would have vetted and credible guidance to follow. The community guidance would provide evidence to management of value so they would support implementation.
Trust: The participant trusted that those in the community are credible.
Stage 2: Advocacy
Purpose: To externalize and evangelize new or advanced perspectives on cybersecurity with stakeholders and governance bodies.
Expectation: Participants were expected to support the creation and adoption of norms for assessment and valuation of cybersecurity, in particular the best practices created by the previous community.
Return: In return participants would be able to make recommendations on investments and use of resources that would result in receiving credit for meeting norms.
Trust: The participant trusted that those developing and advocating for the standards shared their values/concerns. That they represented an agreed upon view of risk and consistent understanding of business needs/constraints.
Stage 3: Participation
Purpose: To share operationally-relevant information to jointly prioritize or characterize cybersecurity risks.
Expectation: Participants are expected to participate with integrity. To share what they know as openly and honestly as possible.
Return: In return, participants would have access to knowledge and capabilities that they could not develop alone.
Trust: The participant trusts that the others are providing unique, appropriate, and relevant information, methodologies and services.
Stage 4: Shared Responsibility
Purpose: To consistently define and mitigate cybersecurity risks. There is an understanding that the problem is larger than any one entity.
Expectation: Participants are expected to participate in a manner that actually improves the value of what the community produces. They are willing to be accountable to expectations of the group that may be more restrictive or larger than what they are responsible for on their own.
Return: In return participants receive tailored knowledge that scales and is more consumable or embedded in the capabilities produced by the community.
Trust: The participant trusts that participation generates a greater benefit. That they would be worse off if they did not participate. That the result is greater because of the community investment and they could never match it on their own. The fact that they have transitioned through the other stages has built a foundation that makes it easier to extend this level of trust.
Stage 5: Partnership
Purpose: To develop and implement cybersecurity risk mitigations at scale. There is an understanding that the solution is larger than any one entity.
Expectation: Participants are expected to own particular parts of the solution space on behalf of others in the community.
Return: In return, participants are able to focus on a set of the solution space, and rely on others to provide services and perform functions on their behalf. This frees up local resources to be best in class in the area that is your responsibility.
Trust: The participant trusts that all the others will do their part, and do it well enough to meet the needs of the participant. This is more than the trust required for the previous stage, where it was just necessary to trust there was a benefit. At this stage, you have to trust that there will be no harm or negative consequences.
True Partnership
True partnership means you surrender something. There is something you are no longer doing that you have handed off to your partner and vice versa. That takes real trust. Your bottom line, your success, your credibility, and your reputation are in someone else’s hands. That is rarely acceptable, but for a business or government entity it could be catastrophic if that trust is misplaced. So how do we get there?
It is possible to build the requisite trust, expectations, and capability/capacity by cultivating it in communities that are already in the shared responsibility stage. But this takes time, and I honestly don’t believe this will happen until it is a necessity…until your bottom line, success, credibility, and reputation absolutely cannot exist outside of having others do things for you that you can no longer do for yourself.
Many of the ideas being discussed to protect and defend the nation involve partnerships. Unfortunately, the communities being asked to engage in these partnerships have not developed the necessary trust to meet expectations.
Advancing Shared Responsibility, Cultivating Trust
Looking at the stages, and what it takes to transition, it seems that we need to find ways to make people feel that part of belonging to a community is to participate in a manner that improves the value of participation for all. The largest barrier to this type of contribution might be a fear of having misplaced their trust…that the effort and risk of the contribution will not result in the added value of the desired return. Worse yet, fear that if they trust inappropriately, that their very contribution could be used against them by stakeholders, regulators, auditors, etc.
If this is true, then employing Low-Regret strategies is a way to get community members to transition from a model of Participation to one of Shared Responsibility. Develop, employ, and share techniques to minimize the impact to the participating members, even if their trust is misplaced. Work together to define ways to be successful even if community doesn’t deliver fully on the expected results.
An existing example of this type of community, built on the establishment of Low-Regret techniques, is the open source community. Members take code developed by others and use it in their own environment. They employ test and evaluation techniques and openly share results of their analysis when problems or vulnerabilities are discovered. Organizations believe the open nature of the projects provide some validation of their trust in other members’ contributions. But they also employ processes to minimize the effect on their business operations even if that trust is misplaced.
Over time, small groups that have successfully implemented a Shared Responsibility model may develop the trust required for a small number of Partnerships to form organically.
Conclusion
We can continue to mature our community to the Shared Responsibility model, particularly by identifying strategies and techniques that compensate for the required increase in trust by minimizing the operational impact associated with misplaced trust. Whether we will ever get to a true Partnership model will depend on external factors that influence perception and social expectations/accountability. Of course, if we were really operating from a model of Shared Responsibility, maybe the natural evolution of pockets of Partnership would be enough to support some implementation of collective defense.