This February 24th marks the 15th anniversary of my first attendance at the RSA Conference in San Francisco. It was a powerful experience: an event of such magnitude in such a wonderful city where innovation and entrepreneurship awakened my dream of being an entrepreneur.
I have seen during these 15 years, how startups have become giants in the industry, how industry leaders are losing luster and relevance in the market, and how every year the cybersecurity evolves with new technologies.
Currently they have been oriented to present how security has been nurtured by BigData, Artificial Intelligence and Process Automation; transforming security strategies to the development of detection and response capabilities to cyber-attacks instead of preventing them.
At the end of the day, both the methodology that supports security decisions and Risk Management are oriented to uncertainty management, however many times the same risk appetite of the organization assumes unexpected events, which if they happen can leave an organization with irreparable reputational damage or with impacts on its processes that are not easily restored.
Lately the marketing strategy of companies offering cybersecurity services focuses on talking about the concept of cyber-resilience, i.e. the ability of a company to adapt positively in the face of adverse events. However, the experience shows that recovering an organization from a cybersecurity attack is not easy and its economic, reputational and competitive losses are incalculable.
The big problem with resilient models is that they are static models, they do not evolve, they are not adaptable in the face of new techniques, tactics and procedures that are continually being developed.
In line with this topic, on a business trip I came across a book that caught my attention: Anti-Fragile by Nassim Nicholas Taleb, where he presented a risk management model for events such as cyber-attacks, the so-called black swans, and how we should deal with them.
Although the book talks about the economics, I managed to relate the concepts to cybersecurity models: a large number of components related to a large number of controls that represent the attack surface, and the information asymmetries between those who get benefits and those who get losses (attackers vs. attacked).
Nicholas Taleb shows us the difference between resilient vs. anti-fragile risk management models, with Greek legends such as the sword of Damocles, the Phoenix and the Hydra. Below we describe the characteristics of each of these cybersecurity models based on these analogies.
Fragile (Damocle's Sword) |
Resilent (Phoenix) |
Non fragile (Hydra) |
-It suffers or fails with volatility - Greater loss than gain from volatility -It seeks tranquility -Mistakes are rare and large -Los errores son raros y largos |
- Remains the same in volatility - Indifferent in quiescence or volatility |
- Grows and gets stronger with volatility - Greater gain than loss with volatility - It searches for disorder - Errors are small and benign |
A3Sec Group has been applying this type of ideas through its Prevention, Detection and Response strategy by implementing several heuristics in the way it implements and operates its solutions:
It is time to transform cybersecurity strategies. That's why A3Sec Group tirelessly seeks to Protect Knowledge to evolve with its customers to anti-fragile cybersecurity models.
We will be at the RSA Conference sharing experiences and learning from so many friends, see you in San Francisco!