Why Root Cause Analysis is a Vital Part of Your Security Improvement Journey

At CyberCrowd, our mantra is that we always help our clients make informed security decisions. We think this approach helps to empower our clients and improve their thought process with regards to cyber security. For example, informed security decisions provide clarity when building business cases, provide a greater understanding of business assets and more importantly, enable a pragmatic view of Information Security.

It sounds easy when you read it out like that. Unfortunately, it’s not easy at all. It requires a tremendous amount of business smarts, experience, confidence and patience. When you throw into the mix our industry’s fragmented, everything proprietary, let’s scare everyone into buying our solutions approach… it’s really not surprising that we fall into a problem-solving mindset, rather than addressing root cause.

Before we attempt to fix problems or work on improvement, our job is to instil a base level understanding of what Cyber Security actually is and what it involves. Or putting it another way, we’re attempting to put in place a solid foundation. That foundation is built on three key facets, which are People, Process and Technology.

These three facets really do rely on each other. For example, there is no point introducing a technology solution to a security problem without addressing staff awareness, policies and procedures (People and Process).

With the appreciation that cyber security is not just about technology, comes the freedom of being able to hold off making immediate decisions. Of course, decisions need to be made, however they can be made with information taken from looking through a different lens.

For example, if your issue is that you have a lack of control of admin accounts, you know you have a serious issue. If you’re in the midst of drawing up a shortlist of vendors that can help you with this issue, then arguably you need to take a step back and carry out some root cause analysis.

You’ll likely end up asking some of the questions below:

1. Do we have a policy regarding how we manage admin level credentials?
2. Do we have a process for checking the ongoing effectiveness of the policy?
3. Are there consequences to anyone who mis-uses admin credentials?
4. Have we trained our staff on the risks of common threat vectors for privileged users?
5. What are the impacts
6. Who is responsible for security in my business, do they have the authority to drive change?
7. How do we know who has admin level credentials in our business?
8. Do they need this level of access?
9. Have we considered least privilege as an approach?

Depending on the maturity of the business, you might have a different list of questions. The point is, we have not jumped to the conclusion that a technology solution can help us to address the issue. We have taken a step back and explored why the business is in this position in the first place. We can now make some informed security decisions.

The answers to the questions drive the next set of actions. As a consequence of asking the questions, we improve our staff security awareness (People), perhaps create some policies and monitor any improvements (Policies). We may well decide that we need to apply some technology as a belts and braces approach to the issue, however we may also be comfortable that we have mitigated the risk (Business lead for security) just by approaching the issue differently.

Following this logic provides us with the opportunity to deliver security improvements across the business. If the analysis determines that we need a technology solution, then we have a ready-made business plan to present to the board. In addition, we’re already thinking about the policies and procedures, so if we did need to adopt a new piece of technology, we can align it to our business goals.

Root cause analysis drives more questions. The focus is on addressing the real cause of the problem rather than its symptoms. If you’ve never used it before with your approach to cyber security, why not apply some next time you start to think about how you can fix something before you understand the real cause of the issue.

A starter for 10, using the 5 Whys from Six Sigma and applying it to our example above:

  • Why do we have so many people with admin accounts?
    • Because they tell us that they are required?
  • Why don’t we have a policy for admin account usage?
    • We do, however they do not follow it?
  • Why do they not follow the policy?
    • There are no consequences to not following it?
  • Why are there no consequences?
    • The owner of the original security policy has left the company, no one has ultimate responsibility for security now?
  • Why has this not been escalated to the board of directors?
    • Good point.

If you’re struggling with this, or would like some independent advice or mentoring from experienced CISO level consultants, feel free to get in touch. We like a healthy dose of pragmatism and we promise we won’t try to sell you any security products.