Rarely do I hear the word “strategy” when talking with colleagues about cybersecurity issues and solutions. Usually, we are talking about products designed to address weaknesses in technology or the configuration settings of various services. We certainly didn’t talk much about the details of Governor Hochul’s announcement of a new cybersecurity strategy published by NY State (Governor Hochul Announces, 2023). Formal strategy is not a tool that we use locally in cybersecurity, so there might be some question as to the usefulness of a State strategy. It’s a series of ideas on a piece of paper. It isn’t a new security product we can deploy or settings we can change. For this month’s article, I will spend a little bit of time exploring what a strategy is and why the NYS Cybersecurity Strategy is important to consider.
Strategy must be placed into a practical context so that people’s thoughts don’t immediately wander to a historic battlefield or a Fortune 500 boardroom. Imagine that a ball was thrown to you. The ball will take some time to reach you. You plan while the ball is traveling so that once it arrives you can catch it. You must anticipate where the ball will arrive and align your resources to catch it.
Taking the ball example even further. You could wait to deal with the ball until the very second it arrives. But there are several challenges with this. Your body can’t instantaneously reposition once the ball arrives to catch it. It’s physically limited in that way. Additionally, the human brain is incapable of immediate perception. The things we observe have already occurred in the past. There is a very slight delay between what is occurring and the time it takes us to perceive of it (What You’re Seeing, 2023).
At a very basic level, strategy is the process of observing that the ball has been thrown, predicting where the ball will be in the future, and then aligning yourself to catch it or dodge it (goal setting). It’s the art of anticipating the future and acting in the present to realize the opportunities (or avoid the hazards) of that future when it arrives.
Yes, strategy is about predicting the future. While that does sound like science fiction, we do this every day. Meteorologists study trends in weather to make forecasts about what weather conditions will exist in the future. People then plan their outdoor events around those predictions. They are not always correct, but those predictions reduce our uncertainty about the future enough to make us feel confident to plan and act.
When we use what we know about the past and present to create predictive models of the future, this can be considered “small world representation” (Levinthal, 2011). First, we create a small world which is an empty subset of the real world. Then we populate that world with only the information that concerns us and our goals. For instance, if we examine the small world representation in the NYS Cybersecurity Strategy, we find references to historical cybercrime figures, observations about criminal patterns today, and predictions as to the rate of criminal cybercrime activities in the future. We also see that nation state activity has been placed inside the small world (Cybersecurity Strategy, 2023).
If we consider the NYS Cybersecurity Strategy as a complete and comprehensive representation of the world, then we would be seriously mistaken. Representational models which underpin strategic plans clearly involve exclusionary choices (Levinthal, 2011). For example, cybersecurity strategy at the national level places developers and manufacturers of digital technologies into their model and makes historical references and predictions about these actors’ activities (National Cybersecurity Strategy, 2023). Consideration of these actors is not fully present in the NYS model.
At first it can seem that strategies which are necessarily built on exclusionary small world representations are inherently flawed. They will always be built on a subset of information because it’s highly difficult to impossible for strategic planners to consider every single actor and trend in the world. Returning to the ball example, in real life there is not only one ball which is thrown but millions. An additional value of a strategy is the property of its exclusions. Because strategic planners lack the capacity to predict all the thrown balls, they must also select to anticipate only the ones which matter. In this way they also acknowledge limitations in resources or capabilities. If humans only have two hands with the ability to track a single object, that would be a significant limitation on not only anticipating where all those balls will travel (forecasting) but also catching them (acting).
Alright. Now we are sufficiently millions of miles away from battlefields and boardrooms. We can talk practically about the NYS Cybersecurity Strategy and why it’s important. By continuing to work on this strategy NYS is identifying a series of thrown balls, anticipating where they will be in the future, and aligning resources to seize opportunities and address challenges of that future. NYS is reducing uncertainty throughout the State which enables organizations to act with more confidence. Organizations don’t need to ponder the infinite possibilities tomorrow will bring. They are either a state agency placed within the small world representation of NYS with its predictions and goals to address the future, or a private organization that can choose to live there.
A published strategy from NYS is also important because organizations throughout NYS have many different strategies. Representational models are utilized to create strategies and extrapolate the future. This means that organizations are literally living in different worlds and moving towards different futures. Organizations with competing visions of the future are often considered rivals and partnership is difficult and less likely in those situations. Rivalry between defenders of cyber resources seems unusual given that almost every organization wants to avoid being disrupted by criminal or nation state activity. And yet a lack of strategic alignment (having the same or similar small world representation with complimentary goals) makes contention inevitable.
Lastly, by publishing a cybersecurity strategy NYS is modeling a positive behavior for combating cybersecurity challenges. We act proactively and strategically in many areas of severe uncertainty. We must also act the same with cybersecurity challenges. We can’t just react at the last second in cybersecurity, because by the time we perceive the problem it will be too late. Organizations are typically lacking in the ability to instantaneously detect, react and adapt. The cybercrime/malicious nation state “weather” is not necessarily the real problem. It’s the fact that we often aren’t prepared enough for it in advance.
We must consider strategy to be an important part of our toolkit when addressing cybersecurity challenges in organizations. NYS has taken an important step in role-modeling this important behavior as well as giving organizations a strategic base from which to expand upon. This is important and critical for improving the resilience of NYS organizations and businesses.
References
Cybersecurity Strategy. (2023). New York State. https://www.governor.ny.gov/sites/default/files/2023-08/2023-NewYork-CybersecurityStrategy.pdf
Governor Hochul Announces Nation-Leading Cybersecurity Strategy | Department of Financial Services. (2023, August 9). https://www.dfs.ny.gov/reports_and_publications/press_releases/pr230
Liff, R., & Andersson, T. (2021). Experts’ contribution to strategy when strategy is absent. A case study of quality experts in hospitals. Public Management Review, 23(9), 1377–1397. https://doi.org/10.1080/14719037.2020.1751256
Levinthal, D. A. (2011). A behavioral approach to strategy-what’s the alternative? Strategic Management Journal, 32(13), 1517–1523. https://doi.org/10.1002/smj.963
National Cybersecurity Strategy. (2023). The White House. https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf
Nonaka, I., & Takeuchi, H. (2021). Humanizing strategy. Long Range Planning, 54(4), 102070. https://doi.org/https://doi.org/10.1016/j.lrp.2021.102070
Pucciarelli, F., & Kaplan, A. (2016). Competition and strategy in higher education: Managing complexity and uncertainty. Business Horizons, 59(3), 311–320. https://doi.org/10.1016/j.bushor.2016.01.003
The Economics of Crime – Economics for the Greater Good. (n.d.). Retrieved September 21, 2023, from https://mlpp.pressbooks.pub/economicsforthegreatergood/chapter/the-economics-of-crime/
What you’re seeing right now is the past, so your brain is predicting the present—QUTeX Blog. (2023, June 5). https://blogs.qut.edu.au/qutex/2023/06/05/what-youre-seeing-right-now-is-the-past-so-your-brain-is-predicting-the-present/
Need to report an IT security event or incident?
To report, please submit a ticket here: Report an IT Security Incident, or call the IT Service Desk at (585) 395-5151 Option 1.