Blog, RBVM

Super Wicked Problems in the Context of Cybersecurity

  1. By seconize
Super Wicked Problems in the Context of Cybersecurity

The term super wicked problems was first introduced in a 2012 paper by Kelly Levin, Benjamin Cashore, Graeme Auld, and Steven Bernstein. It was developed to describe unique global challenges, particularly climate change, that are characterized by extreme complexity, urgency, and resistance to traditional problem-solving methods.

These problems are an extension of the broader concept of “wicked problems,” which was initially coined in 1973 by Horst Rittel and Melvin Webber to describe societal planning challenges.

Super wicked problems are distinguished by four critical traits:

  1. Time is Running Out: The problem demands urgent action before it becomes irreversible.
  2. No Central Authority: Responsibility is fragmented, with no single entity to enforce solutions.
  3. Those Solving the Problem Are Also Contributing to It: Actors trying to address the problem often perpetuate it through their actions.
  4. Policies Favor Short-Term Gains Over Long-Term Solutions: Decision-making is driven by immediate benefits, often at the expense of sustainable resolutions.

While the concept has been most prominently applied to climate change, its relevance has expanded to other domains, including cybersecurity within organizations, where similar traits are evident.

Cybersecurity is no longer just a technical challenge

it’s a super wicked problem that is urgent, complex, and self-perpetuating.

Vulnerabilities, Third-Party Risks, and Compliance are prime examples of cybersecurity challenges that exhibit the traits of super wicked problems:

1. Vulnerabilities in IT Systems

(Unpatched software, misconfigurations, and zero-day exploits that attackers can exploit)

  • Time is Running Out: Cybercriminals discover and exploit vulnerabilities faster than organizations can patch them. Zero-day vulnerabilities can be weaponized within hours.
  • No Central Authority: Security patching is distributed across multiple teams (IT, DevOps, Security, and third-party vendors), leading to delays and inconsistencies.
  • Those Trying to Solve It Are Also Contributing to It: Organizations often delay patching due to compatibility concerns, business disruptions, or lack of visibility into vulnerable systems.
  • Policies Favor Short-Term Gains Over Long-Term Security: Patching is often deprioritized in favor of operational uptime, leaving organizations exposed.

Super Wicked Justification: Vulnerabilities are an ever-growing, dynamic challenge that requires continuous scanning, prioritization, and remediation—yet, many organizations struggle to keep up, leaving them perpetually at risk.

2. Third-Party Risks

(Cybersecurity vulnerabilities introduced by vendors, suppliers, and service providers)

  • Time is Running Out: Supply chain attacks (e.g., SolarWinds, MOVEit breach) have increased, with attackers targeting third-party service providers as entry points into enterprises.
  • No Central Authority: Organizations rely on multiple vendors with varying security postures, and enforcing uniform security standards is nearly impossible.
  • Those Trying to Solve It Are Also Contributing to It: Companies depend on third parties for critical services, yet often lack the visibility and control to enforce security best practices.
  • Policies Favor Short-Term Gains Over Long-Term Security: Many organizations assess vendor security only during onboarding and neglect ongoing risk assessments, leaving them vulnerable.

Super Wicked Justification: Third-party risks are systemic, difficult to monitor, and require constant reassessment. Without automation, organizations struggle to maintain continuous visibility into their supply chain security.

3. Compliance and Regulatory Challenges

(Meeting cybersecurity standards like GDPR, ISO 27001, SOC 2, NIST, and evolving global regulations)

  • Time is Running Out: Regulatory requirements are rapidly evolving, and non-compliance can lead to severe fines, legal actions, and reputational damage.
  • No Central Authority: Each country or industry has different compliance requirements, leading to fragmented and overlapping regulations.
  • Those Trying to Solve It Are Also Contributing to It: Companies collect more data than they can securely manage, increasing their compliance burden. Additionally, many organizations treat compliance as a checkbox exercise rather than integrating it into their security strategy.
  • Policies Favor Short-Term Gains Over Long-Term Security: Organizations often focus on passing audits rather than maintaining continuous compliance, leading to security gaps between assessments.

Super Wicked Justification: Compliance is a moving target, requiring continuous adaptation and investment. Relying on manual processes for compliance tracking is ineffective in today’s fast-changing regulatory landscape.

Approaches to Address Super Wicked Cybersecurity Problems

Organizations must adopt a strategic and adaptive approach to tackle these challenges, focusing on collaboration, innovation, and sustainable practices:

1. Centralized Cybersecurity Governance

  • Establish a Unified Cybersecurity Function: Create a centralized team or role (e.g., a Chief Information Security Officer) to oversee cybersecurity strategy, execution, and accountability.
  • Implement Clear Policies: Develop unified frameworks for managing risks, aligning business units, and enforcing compliance.

2. Emphasize Proactive Measures

  • Risk-Based Prioritization: Use risk assessments to prioritize cybersecurity investments in high-impact areas like critical systems or data protection.
  • Continuous Monitoring: Implement real-time monitoring tools to detect and respond to threats before they escalate.

3. Foster Collaboration Across Stakeholders

  • Cross-Department Collaboration: Build alignment between IT, legal, HR, and other departments to address cybersecurity challenges collectively.
  • Third-Party Engagement: Establish strong partnerships with vendors, ensuring adherence to security standards and regular audits.

4. Promote Long-Term Thinking

  • Incentivize Sustainable Investments: Allocate resources to long-term cybersecurity projects, such as security automation, zero-trust architecture or advanced threat intelligence systems.
  • Awareness Campaigns: Conduct ongoing training for employees to cultivate a security-first mindset.

5. Adopt Agile and Adaptive Frameworks

  • Dynamic Policies: Regularly update cybersecurity policies to keep pace with evolving threats and regulatory changes.
  • Incident Response Planning: Develop and test incident response plans to ensure preparedness for emerging threats.

6. Leverage AI/ML for Automation

  • Use AI/ML to automate repetitive tasks like vulnerability scanning, compliance checks, and threat detection, enabling faster and more accurate responses.

7. Measure and Report Progress

  • Key Performance Indicators (KPIs): Track metrics like time-to-detect, time-to-remediate, and compliance adherence to assess cybersecurity posture.
  • Board-Level Reporting: Regularly communicate cybersecurity risks and progress to leadership to secure ongoing support and resources.

Conclusion

Each of these cybersecurity challenges reflects the core characteristics of super wicked problems: urgent, decentralized, self-perpetuating, and dominated by short-term thinking. Addressing them requires multi-stakeholder collaboration, long-term planning, continuous adaptation, and cultural shifts—hallmarks of tackling super wicked problems.

TAGS :

Related

26 May

What is Full-Cycle Vulnerability Management?

18 Dec

How startups can build improved security posture

25 Nov

The Emperor Has No Clothes: The Illusion of Securi

11 Jul

SEBI's New Framework for Regulated Entities
SEBI’s New Framework for Regulated Entities

05 Jul

Seconize Product Brochure

09 Dec

The Little Dutch Boy of Cybersecurity: Plugging Co

11 Jul

Automation in Compliance Audit Management
The Power of Automation in Compliance Audit Manage

23 Oct

Third-Party Risk Management
Third-Party Risk Management: A Key Pillar for de-r

02 Dec

IT audit planning guide
IT Audit Planning Guide and Free Templates

17 Feb

Vulnerability Management
Vulnerability Management: The Sisyphean Boulder of

25 May

How to Design a Vulnerability Management Program?

Categories

GRC

RBVM

In the News

Meetings

Recent Posts

How Small Vulnerabilities Lead to Massive Breaches

The Butterfly Effect in Cybersecurity: How Small Vulnerabilities Lead to Massive Br

Super Wicked Problems in the Context of Cybersecurity

Super Wicked Problems in the Context of Cybersecurity

Cybersecurity and Cyber Resilience Framework

SEBI Extends Cybersecurity and Cyber Resilience Framework Compliance Deadline for R

Vulnerabilities

Karma and Vulnerability Management: A Cybersecurity Perspective on Vulnerabilities

Cybersecurity Audits

Pandora’s Box or Treasure Chest? Reframing Cybersecurity Audits

Schedule a Demo​
Book a session with one of our senior Customer Success Specialists.​
GET IN TOUCH

About Us

Company

Career

Our Team

Partner

Contact

Use Cases

Risk-Based Vulnerability Management

Compliance Management

Vendor Risk Management

Application Security Testing​

Linkedin Facebook-f Twitter Youtube Rss
Ofofo Cyber Security Marketplace

Copyright © 2024 Seconize Technologies Pvt Ltd. All rights reserved.