Transformación de la postura
Sobre ciberseguridad ejecutiva en las juntas directivas: de “a prueba de fallas” a “resistente ante las fallas”
Resumen
Las juntas directivas enfrentan una brecha estructural entre la manera en que conciben el riesgo cibernético y la naturaleza real de los sistemas sociotécnicos modernos. La perspectiva dominante, denominada “fail safe” (“a prueba de fallas”), busca prevenir todo falla mediante la implementación de controles formales, generando una falsa sensación de seguridad que expone a las organizaciones a efectos en cascada cuando se materializa la inevitabilidad de la falla. Este artículo propone una transformación conceptual y práctica hacia una postura “safe-to-fail” (“resistente ante la falla”), fundamentada en los principios de la ingeniería del caos en seguridad (Security Chaos Engineering, SCE) y la resiliencia de sistemas complejos, que permita a los equipos directivos aprender, desaprender y reaprender de las brechas y los incidentes de seguridad, para innovar y moverse rápidamente a pesar de la presencia de eventos cibernéticos adversos pasados, presentes y futuros.
Citas
Ahern, J. (2011). From fail-safe to safe-to-fail: Sustainability and resilience in the new urban world. Landscape and Urban Planning, 100(4), 341–343. https://doi.org/10.1016/j.landurbplan.2011.02.021
Dykstra, J., Stevens, R., & Olson, L. (2022). Opportunity cost of action bias in cybersecurity incident response. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 66(1), 1116–1120. https://doi.org/10.1177/1071181322661368
Forsgren, N., Humble, J., & Kim, G. (2018). Accelerate: The science of lean software and DevOps: Building and scaling high performing technology organizations. IT Revolution Press.
Fortinet. (2023). 2023 global threat landscape report. https://www.fortinet.com/blog/threat-research/2023-global-threat-landscape-report
Gartner. (2023). Gartner predicts 70% of boards will have a dedicated cybersecurity committee by 2026. Gartner Research. https://www.gartner.com/en/newsroom/press-releases/2023-03-28-gartner-predicts-70-percent-of-boards-will-have-a-dedicated-cybersecurity-committee-by-2026
Gundu, T. (2024). Learn, Unlearn and Relearn: Adaptive Cybersecurity Culture Model. Proceedings of The 19th International Conference on Cyber Warfare and Security, 19(1). https://doi.org/10.34190/iccws.19.1.2177
IBM. (2023). Cost of a data breach report 2023. https://www.ibm.com/reports/data-breach
Kim, Y., Newman, G., & Güneralp, B. (2017). Fail-safe and safe-to-fail adaptation: Decision-making for urban flooding under climate change. Climatic Change, 145(3), 397–412. https://doi.org/10.1007/s10584-017-2100-5
National Association of Corporate Directors - NACD. (2023). 2023 NACD director survey: Cybersecurity oversight. NACD. https://www.nacdonline.org/globalassets/public-pdfs/nacd_cyber-risk-oversight-handbook_pages_web-compressed.pdf
PwC. (2023). 2023 global digital trust insights survey. PricewaterhouseCoopers. https://www.pwc.com/gx/en/issues/cybersecurity/global-digital-trust-insights.html
Rasmussen, J. (1997). Risk management in a dynamic society: A modelling problem. Safety Science, 27(2–3), 183–213. https://doi.org/10.1016/S0925-7535(97)00052-0
Reason, J. (1990). Human error. Cambridge University Press. https://doi.org/10.1017/CBO9781139062367
Shortridge, K., & Rinehart, A. (2023). Security chaos engineering: Sustaining resilience in software and systems. O'Reilly Media.
Smeets, M. (2022). No shortcuts. Why states struggle to develop a military cyber-force. New York, NY, USA: Oxford University Press.
World Economic Forum. (2024). Global risks report 2024. WEF. https://www.weforum.org/reports/global-risks-report-2024/
