The Cybersecurity Engineering Blind Spot

I’m fortunate enough to be able lead cybersecurity engineering organization for major defense contractor, and support those who are on the ‘front lines.’

Our mission is to ensure the systems and platforms our company delivers are cyber resilient. And cyber resiliency is a critical component of system resilience. The bottom line, the system continue to operate, as intended, despite being attacked.

To meet that requirement though, requires a fully integrated engineering approach with systems, hardware, software, safety, reliability, etc. And therein lies the challenge.

New Kid On The Block

As an engineering discipline, cybersecurity is in its infancy. Traditional engineering domains such as systems, hardware, software, safety, and reliability, have been around for decades. Which means they have decades of working together to design, build, test, and deliver complex systems.

But here we come; this new kid on the block. Full of mystery and cloak and dagger. We make these outrageous claims about an unknown adversary’s abilities but we are unable to provide evidence of those claims because the data is classified.

Then we propose protections that complicate designs and limit, or even prohibit existing or planned functionality. And to put salt in the wound, the cost to implement those changes is a lot more than the program planned for.

Is it any surprise that the prevailing mindset of the other engineering domains and program managers is that cybersecurity only adds cost, schedule and technical risk without any offsetting benefits.

The Blind Spot

Which brings us back to the challenge; and it’s one that many engineering companies.

Why?

Because, generally speaking, the cybersecurity engineering culture has a blind spot.

When it comes to the external view. Most cybersecurity engineers has a clear perspective. Many in our ranks preach cybersecurity needs must integrated into the system’s design very early on. And that trying to “bolt on” protections later is ineffective and a waste of money. But when it comes to looking inward, they have a blind spot.

The blind spot is the notion that cybersecurity engineering is cultural unique and distinct from other engineering disciplines, and should therefore be organized and or operated differently.

Here’s three examples that show why that premise is inaccurate.

A cybersecurity threat-based attack analysis is very similar to the system safety hazard analysis performed by safety engineers; and to the failure modes & effects analysis performed by reliability Engineers; and a threat-weapons vulnerability assessment performed survivability engineer. And a penetration test is similar to stress testing and environmental testing performed by systems and test engineers.

The bottom line, cybersecurity requirements are very much like other engineering requirements.

The difference, and has been, cybersecurity engineers don’t approach the work like the other engineering domains, because they have a blind spot.