So many people complain bout the forest and trees in the Cybersecurity Maturity Model Certification. Some look to the trees and can write 5,000 word essays pulling about the etymology of a single word. They never see the forest.
Others claims CMMC will rise only to find itelf destined to fail. They note a piling up of assumptions and technical debt. They may note other compliance efforts like ISO failed or unjustly complain SOC2 compliance comes from gumball machines. They never take the time to see the trees.
Yet we need to stop worrying about the forest and trees of CMMC. Cybersecurity happens underground, through your culture.You must grow cyber hygiene in rich soil. Do not look to the forest or the trees. Instead get to the roots of cybersecurity.
Roots of Cybersecurity
The root system expands 20 times the size of any canopy. Often when we think trees have died around us, being returned to the earth by, you guessed it fungus, they go on living underground. Their roots living for years, decades, possibly centuries keeping other trees alive.
We must see cybersecurity as a symbiotic relationship between the Defense Industrial Base and the Department of Defense. You as a business owner need to understand that without some basics you can never secure sensitive data, and if you can’t secure sensitive data you will never get passed the basics.
Around 90% of land plants thrive mutually-beneficial relationships with fungi. Yet we do not see it. The mycelium, network of fine white filaments that make up the vegetative part of fungi exist out of site. It just happens. What we need in cybersecurity.
“Mushroom, NCI Sourdough trail” by furtwangl is licensed under CC BY
Symbiotic relationship. The plants and trees allow the fungus to siphon off food and the fungus help the plants eat, ,act as a network of advanced persistent threat, and fight of pests. In a cubic inch of soil you can find 8 miles of mycelium. We must get to a similar state of cybersecurity hidden underground protecting our networks.
To deliver food plants provide fungi with carbohydrates. The fungi suck up water, and provide nutrients like phosphorus and nitrogen, via their mycelia.
The fungi also create a network to support each Paul Stamets, back in 1970 compared the mycelia of root systems to ARPANet. What we now call the Internet. According to Suzanne Simard older trees just the fungal network to help younger trees. They can redirect carbon they collect in their canopies to children of the forest floor who hide in the shadows,
The Wood Wide Web, also like cybersecurity provides advanced persistent threat analysis. When fungus work in the roots they triggers the production of defense-related chemicals. These make later immune system responses quicker. When one tree gets attacked by harmful pests or deafly fungi the mycelium can set off a chemical response in the root system to warn other trees.
As a metaphor for your company we need to get to the roots of cybersecurity and this this includes five elements. You must do every one of these first.
First in terms of Governance who owns your data, who owns your systems, who maintains the System Security Plan. The mycelium under the trees acts as a microbial neural background.
When you look at mycelium and a node breaks the network moves around it. You must have a plan to handle CMMC and know who will enforce policies.
Fungus migrated from the sea to land millions of years before plant life. The acids they produce broke down calcium in the rocks and produced soil. Your policy does the same thing.
The fungi worked by acting as carbon sinks. Fungus got the system working just as your policy is required for cybersecurity. In fact you should begin with writing a policy of how your company writes policy. You may in fact have a ton of existing policy but you can not protect what you don’t know you have.
After the great extinction event that killed the dinosaurs the fungi inherited the earth. They could grow in the dark and even use radiation as food. The largest mycelium organism sprawls across 2,200 acres of Oregon and has lived before the time of the Christian Era. You need to know the spread of your CUI, endpoints, and people.
Have you counted them all? If you do not have a solid inventory system you can not have security. You need to know how sensitive data spread through your network for without an inventory it will spread like a rhizome, like mcyelliumn
Paul Stamets has long argued that the Internet just provides proof o f concepts that al;ready exist. The mapping of Internet traffic and Dark Matter all reflect the mapping of the rhizomatic spread of the rhizome.
You will need to keep a compliance machete at the ready to control access to sensitive data. Fungus act gateway species. Stamets note they let other life in. In fact he creates physical and logical barriers of mycelium downstream from farm to remove excess fertilizer and deadly diseases like e. Coli.
Awareness and Training
As he studies the fungus of the world Stametz tries to preserve the genome. In fact in collaboration with the Department of Defense they discovered five ancient and almost extinct fungi in the old growth forests that could help fight poxxed based diseases.
Ancient forests in China contain fungi that fight Flu and SARS.
Saving our old growth forest a matter of national security. Just like your cyber security.
Let’s get to the root of the issue