Written By: Rob Hatke ~
The acronym VUCA stands for volatility, uncertainty, complexity and ambiguity. It is used to describe an unpredictable situation and how you respond to it. The best reference I have found is available at https://hbr.org/2014/01/what-vuca-really-means-for-you. Go ahead and read that article, I will wait....
Ok, you are back. Any of this sounds like situations we deal with in Information Security? I hope so.
So how can this be used for Information Security? Let’s take an example from each of the letters, VUCA.
V is for Volatility - An incident in InfoSec is an example of volatility. We do not expect it, and we don’t know how long it will take to respond. However, knowledge does quickly become available for the incident. So how do you respond to this volatility? The answer in this case is to invest in IR playbooks, invest in people responding to the incident, or perhaps have a retainer for a company to assist you in your response.
U is for Uncertainty - A zero-day attack could be an example of uncertainty. Typically we know what product it affects, but often little other information, and there may be no immediate fix. So how do you respond to this uncertainty? Invest in information. Do you know how many assets are on your network? How about their configuration (physical data, configuration data, regulatory data, what type of data resides, etc)? Invest in a good Asset Intelligence Program.
C is for Complexity - Many businesses are moving to the cloud be it Azure or AWS. Successfully moving to the cloud is a very complex business as there are many interconnected parts and many ways to accomplish the same thing. So how do you respond to this complexity? Hire or grow specialists. There are companies who specialize in moving companies to the cloud, use them or have them train your employees.
A is for Ambiguity - I believe that User and Entity Behavior Analytics (UEBA) is InfoSec’s response to ambiguity. For example, a user suddenly downloads a large file late at night. Is this normal because the user is traveling or working late? Or is this an attempt to exfiltrate data? So how do you respond to this ambiguity? Should you have a UEBA tool, you will find that it will require a LOT of tweaking. This is really experimenting what works in your environment. It helps you understand the cause and effect of why that user downloads a large file.
I invite you to think of ways that the VUCA framework can help you respond better to situations.