Broken windows, and why we need to keep order
09:00 Monday, 14 June 2021
UK Cyber Security Council
In their 1999 book “The Pragmatic Programmer ”, Andrew Hunt and David Thomas write of the malaise of allowing problems to go unfixed:
"One broken window, left unrepaired for any substantial length of time, [instils] in the inhabitants of the building a sense of abandonment—a sense that the powers that be don't care about the building. So another window gets broken. People start littering. Graffiti appears. Serious structural damage begins. In a relatively short space of time, the building becomes damaged beyond the owner's desire to fix it, and the sense of abandonment becomes reality. The "Broken Window Theory" has inspired police departments in New York and other major cities to crack down on the small stuff in order to keep out the big stuff. It works: keeping on top of broken windows, graffiti, and other small infractions has reduced the serious crime level."
We can all relate to this concept, because we've all seen old, disused buildings that have gone rapidly from being largely intact, save for a couple of defects, to being fit only for demolition. We read what Hunt and Thomas wrote and think to ourselves: yes, obviously, you’re right – but many of us had perhaps not thought about the concept until we read those words.
This lack of realisation may well be the reason that most of us work in organisations with metaphorical broken windows. We can attempt to deny this, but in most cases we will be kidding ourselves. And many of the broken windows are in security.
How many of us have worked in organisations that have security policies, but where some of those policies have fallen into disuse because perceived business priorities have taken precedence? The boss was in A&E having his fractured wrist set in plaster, so disclosed his password to a subordinate in order to process an urgent payment. The three-pairs-of-eyes check was cumbersome, and faults were seldom found anyway, so we stopped using it. Once this happens once or twice and goes unchecked, the trickle becomes a flood and before long nobody is complying with the rules. And in the average case, this is fine for a while but it always – always – eventually ends with a bad event.
Just as with broken windows, most security policy breaches have little or no impact: perhaps a few drops of metaphorical rain will blow in if the wind is in the wrong direction. As the number of breaches grows, though, the risk of something bad happening increases – but most importantly the difficulty of putting things right grows at least geometrically and probably exponentially. A quiet word with one offender suddenly becomes a group-wide campaign of training, perhaps with the purchase and deployment of tools that detect and/or prevent further transgressions. A reminder to a user that they shouldn’t have emailed the company handbook to their personal email turns into a six-figure fine for multiple data protection offences thanks to the sales team habitually doing the same with the customer database. Nipping things in the bud is always – always – better than having to stem the flow of a problem that has escalated.
The above is all very well, but what does it have to do with cyber skills? Simple: maintaining a balance of maintenance versus change is a skillset in its own right. It needs us to organise our time, and that of our teams, to get that balance right. It needs us to communicate with our peers to engage them and their teams to help us fix windows, perhaps at the expense of the development of something new and shiny they were enjoying building. It needs us to be able to guide users in how to do things correctly, and explain why we need them to do so. It needs us to communicate with the wider business – including very senior management – and persuade them to delay the construction of the new system that will make millions and instead spend some time repairing conceptual windows that – to them – bear little or no tangible risk.
Actually fixing the window may take little or no skill. But a regime of maintaining the security “building” is a highly challenging thing, and needs the people with the right skills to do it.