Survival of the fittest: When it comes to protecting its information, can an organization learn from nature?

14 06 2012

At first glance, this may seem like a very provocative question.  Perhaps a question better suited for waxing philosophical at your local coffee house, as opposed to the boardrooms of Fortune 500 companies or the United States Government.  However, recent interdisciplinary studies have shown that complex organizations can learn a thing or two from even the simplest creatures.

A recent book by Dr. Raphael Sagarin and Terrence Taylor, Natural Security: A Darwinian Approach to a Dangerous World posits precisely that, with outside the norm thinking and execution, organizations can benefit from the survival skills that species’ have adapted over time.[1]

An argument central to the authors’ theme is that risk cannot be eliminated; rather, risk can only be minimized.[2]  One example is how the United States Transportation Security Administration (TSA) could adapt behavior from marmots, when it comes to recognizing and communicating potential threats.  To paraphrase the author:

“The Government Accountability Office confirmed what most Americans already suspected: the (TSA) cannot possibly control all potential threats to airport security.  Biological organisms inherently understand this. They realize they can’t eliminate all risk in their environment. They have to identify and respond to only the most serious threats, or they end up wasting their resources and, ultimately, failing the evolutionary game.  These models suggests that the TSA would be more effective by being much more selective in whom it considers for screening, rather than trying to eliminate all risks posed by liquids.  A biological assessment of the TSA’s methods also found that the agency’s well-advertised screening procedures may lead to a kind of natural adaption by terrorists.  A study of animal behavior suggests that advertising your security procedures and continually conveying to others that there is a state of elevated threat only helps inform potential terrorists of loopholes in the procedures, while keeping the general population uncertain and nervous.  Species such as marmots, which continually emit warning calls to each other even when no immediate threat is present, force the other animals in their group to waste time and energy trying to figure out if the implied threat is real, he noted.”[3]

So while this example may point out that a reliance on individual, natural instincts may aid in recognizing threats, how this methodology translates to complex organizations would most certainly require a careful, yet flexible, approach to implement.

A potential approach, also described in an article by Sagarin, takes natural observations such as forming good relationships, and continuous adaptation, and applies them as a framework against the context of protecting against terrorist attacks.[4]  But, can these observations be applied to protecting a corporations’ information?

As a person who has worked in the Information Technology field for upwards of 15 years, with all of my experience in the process heavy and bureaucratic waters of the automotive manufacturing industry, my initial response would have been a succinct, no, not a chance.  However, after digging into the articles and research, I have to say the idea is thought provoking at the very least.  Of course, any change would certainly not be easy.  A reflections on my own experiences of the day-to-day operations over the years brings to mind politically charged and contentious relationships, as well as slow adaptation or reactionary response mechanisms.  When I think of IT security, a favorite Dilbert cartoon comes to mind:

[5]

While this cartoon represents (hopefully) an extreme, albeit comical, example of how organizations may react to security vulnerabilities, what may be more telling is the last caption –the problem/risk has been fixed.  And that may be the fundamental trap; that risks can be eliminated (fixed) rather than putting the focus on minimizing the risks.

Taking the above mentioned framework, with the baseline foundation of minimizing risk, let’s analyze how it may apply to information security in a major corporation.

Forming Good Relationships

The idea of forming good relationships can be applied in different aspects to help secure information.    When I think about the information security teams I have dealt with in the past; a precise hierarchical structure, typically managed by the Information Technology organization comes to mind.  This may seem plainly obvious to most, since the proliferation of computing across most businesses has intensified the need to secure a corporations’ data – now scattered across a wide array platforms ranging from data centers to mobile devices.  But does this function have to be a pure IT responsibility?

While an IT Security team is typically staffed by knowledgeable and competent people that are trained to deal with computing vulnerabilities and threats – they certainly can’t be the only people in the organization fit to protect the companies’ information assets.

Someone in the research and development department may have insight into upcoming product lines that should be evaluated for possible threats or a person in the marketing department may have a sales campaign idea that could expose vital corporate information.  Each person may bring a unique perspective that can be shared across the organization with respect to protecting information.  And this information sharing should be viewed as a complementary function, rather than a hindrance to progress – speedy delivery to market should be balanced against minimizing risk.

So instead of isolating the dialogue and analysis solely within the IT security team, opening up the links of communication may broaden the overall organizational understanding of identifying and minimizing risks.

Continuous Adaptation

Another area of consideration is the premise of continuously adapting over time.  Many organizations do a lot of work to implement standalone security processes or mix security into product development cycles – access control audits, security checklists, etc.  Lots of effort is put forth and policies are driven down by leadership with strict expectation for adherence.  This is good work and is certainly not to be discounted.  However, sometimes the creation of these policies can be viewed as a discrete deliverable – meaning once the policy is in place, the effort is focused on execution, rather than constantly evaluating whether the policy remains relevant.

Perhaps the constant evaluation of policies should weigh just as important as the initial creation of those policies?  Of course, not only does this take a shift in thinking, but it also has a cost in terms of effort and resources.  Additionally, when an attack occurs it is appropriate to respond to the attack and make sure the vulnerability is patched.

Making the shift from reactively responding to attacks to proactively identifying risks and vulnerabilities should be the ideal state.  And although this effort may be difficult to measure against traditional metrics, such as ROI, the value of this living activity should not be diminished.

Conclusion

So while some techniques may not work for all – I’m not suggesting we all pick up the latest journal on marmot behavior – there are clearly some things that can be learned (as in the TSA example).  However, the fundamental message is that we must learn to live with risk, and focus our efforts on minimizing risk, as opposed to chasing the belief that risk can be eliminated.  And the effort to minimize risk may be achieved if organizations are willing to tap into its diverse pool of resources in an effort to continuous identify and adapt to threats and vulnerabilities.


[1] Sagarin PhD, R., & Taylor, T. (2008). Natural Security: A Darwinian Approach to a Dangerous World. University of California Press.

[2] GoogleTechTalks. (2008, May 29). GoogleTechTalks: Natural Security (A Darwinian Approach to a Dangerous World). Retrieved June 9, 2012, from YouTube: http://www.youtube.com/watch?v=job2avPAbgU

[3] Duke University. (2008, January 28). Lessons From Evolution Applied To National Security And Other Threats. Retrieved June 9, 2012, from ScienceDaily: http://www.sciencedaily.com/releases/2008/01/080128165715.htm

[4] Sagarin PhD, R. (2003). Adapt or Die. Retrieved June 9, 2012, from UCLA: http://sagarin.bol.ucla.edu/pdfs/AdaptOrDie.pdf

[5] Adams, S. (2004, January 11). Dilbert. Retrieved June 9, 2012, from Dilbert: http://dilbert.com/strips/comic/2004-01-11/

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: