Translating Cybersecurity & Privacy to English (and other global languages)

 As a practitioner specializing in rather intricate domains which involve subject-matter expertise (SME), one may feel compelled to indulge in industry jargon, multi-letter acronyms and figure of speech that make sense only to a few. It is more so true for technology domains of modern significance. Having been a SME on some such domains such as Cybersecurity, Privacy, IT Risk Management etc., I have seen this tendency first hand.

At first, I was a victim of this phenomenon when I transitioned from the Army to the Corporate world. The Army itself was a similar world full of jargons and acronyms, but the outstanding factor there was uniformity; terminology was common across people from the top to the bottom, and there was a good degree of commonality in terminology across other uniformed services such as the Navy and the Air Force with whom the Army has to deal occasionally. On making a mid-career shift to the Corporate world, I had to make significant efforts to adjust to the high degree of variance in the domain as it was practiced in the Enterprise as compared to the Army. But what exacerbated the change management experience was the perception of complexity in the Corporate world that came out of two aspects: (a) Use of a lof of jargon, acronyms and figures of speech, (b) Lack of clarity in the definition and understanding of the sub-domains, and how all the moving parts fitted into the overall big picture.

The problem is common across the three main areas of practice — the Enterprises, the Service Providers and the Technology OEMs. The latter two lead in the use of jargons and acronyms, and the former is almost eager to follow the lead established by the latter. Essentially, it leads to complexity and lack of clarity in having a common understanding that further leads to prevalence of confusion, and absence of transparency. I have reflected on this at length and made certain observations which are worth considering.

It is to the advantage of the Service Providers and Technology OEMs to make things complex and deny a clear understanding simply because of the old adage “There is profit in confusion”. One can easily see who profits from complexity and how. Most OEMs align their products to existing industry semantics, and, in fact, they often times create new jargon and acronyms when launching new product lines. The hype is necessary to create a buzz around their product, and having complexity helps perpetrate the notion that the value of the product is much more than what it seems to actually does. Many times, Service Providers support the new jargon and acronyms propagated by OEMs, and even add more such verbiage to substantiate their service offerings around specific OEM solutions.

An interesting role is played by Research organizations and other such third parties which have revenue streams aligned to specialization domains. Sometimes they provide definitions and explanations that help normalize and standardize prevailing or upcoming jargon; but sometimes they add to more confusion as well by creating new jargon and acronyms. In both cases, they stand to benefit commercially.

Hence, it becomes necessary for a SME to translate complex verbiage and present it in simple language to her/his internal audiences especially to critical stakeholders such as the Board of Directors, Senior Leadership Team (SLT), C-suite executives, and Auditors. The confusion may exist in micro levels like understanding how a specific technical solution provides a certain enterprise security capability. It can also be in maro levels such as the definition of Cybersecurity, what constitutes Cloud Security, and the difference between a Policy, Standards, Guidelines, Processes, and Procedures. Regardless of what it is and how it is caused, complexity and lack of clarity does not bode well for an organization, and the SMEs who are involved in managing that function. It is critical to reach common and clear understanding in SME domains, especially with non-SME internal stakeholders for the very success and stability of the SME program.

What complexity and lack of clarity are you dealing with at your organization in terms of Cybersecurity and Privacy management? How would you like to solve these issues and challenges. Leave a comment here or reach out to me directly at Deepak.Rout@Assuranz.ca; I will be happy to suggest some thoughts and ideas!

Strategic Cybersecurity Perspectives Post-Pandemic

Recently an event organizer reached out to me to contribute and moderate a CISO Round-Table panel where they had already chosen Ransomware as the dominant theme of discussion. I had a little time in hand while doing an errand and a bit of inspiration; so I managed to jot down some thoughts which I shared with the organizers to consider toward the session themes and flow with a view to make the event topical, timely, relevant and engaging for the majority of attendees. Reproducing the same here for business and IT leaders, and Cybersecurity professionals to reflect and comment on.

1. Ransomware in specific and malware in general has been an oft-beaten drum in the security industry, and always manages to catch some interest. We can certainly include that as a theme; however several critical and deserving areas demand attention which I would request us to consider.
2. End-Point Security:

(a) The domain of end-point security is large and varied beyond just ransomware/malware. We need to address the various device types (mobiles, tablets, laptops, desktops, servers, firmware and cloud workloads), the various OSs (Android, iOS, Linux, Windows — I’m not even touching Mainframe), the fact that any user today wishes to access any enterprise service running anywhere (on-prem/cloud) using any of these devices.

(b) There are hard core management aspects involved such as asset management, patch management, config management, updates, upgrades etc. which are different albeit complimentary aspects than the hardcore security aspects of EPP (AV), EDR (0-day), TVM (scanning), XDR (integrating with solutions managing other 0-day vectors), Mobile Device Management (MDM), Mobile Application Management (MAM), and SecOps (monitoring) etc.

(c) Hence, it makes sense to address this bigger and way more complex jig-saw puzzle which has been one of the main domains where our on-going challenges have been exacerbated with the pandemic.

3. Other Security domains: Below are the minimum number of summary domains that are complimentary to end-point security and critical to the enterprise especially with the post-pandemic work environment.

(a) Identity & Access Management (IAM):

i. IAM is that super-glue holding together the effective and efficient (and yes, secure and privacy compliant) management of the various user communities (employees, partners, contractors, temps, and customers) trying to seek access to various enterprise resources running anywhere (on-prem/cloud) using any device (Corp issued or personal).

ii. In addition, it also needs to address needs such as Single Sign-on, MFA, Self-Service Password Reset, Risk Based Conditional Access, PIM/PAM, and meet the increasing demand for Password-less.

(b) Cloud Security:

i. Cloud Application Security Brokerage (CASB) for SaaS security and governance was already an established domain and it has been further transformed post-pandemic by a surge in SaaS usage. Additional aspects of data protection and DLP as also threat management during SaaS usage have become key aspects of consideration.

ii. Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP), Threat Vulnerability Management (TVM) for IaaS and PaaS security and governance was perhaps an emerging domain a couple of years back trying to break out from under the wings of the CASB domain which did little justice to the need of IaaS/PaaS security. Post-pandemic it has turned in to a domain of its own right and is transforming rapidly as we speak where many enterprise security leaders and practitioners seldom see beyond the tip of the iceberg that is EDR protection for cloud nodes while a gamut of security and compliance issues pertinent to IaaS and PaaS lie unaddressed which this domain can do full justice to.

(c) Data Security:

i. Data Lifecycle Management and Data Protection including its discovery, its classification & labelling based on content & context, its encryption and authorized access as also denial to unauthorised access & auditing of the same, its tracking to inventory which authorized entity has access to it at a given time, its revocation as/when required, its retention for as long as required, its delegated access as/when required to authorised delegates for compliance, legal, investigation & other necessary requirements, etc.

ii. Data Leakage Prevention (DLP) encompassing Email (and other collaboration channels such as Teams, Sharepoint, Office docs etc), End-Point (all OSs in all form-factors and at all locations on-prem and cloud), and Cloud (SaaS, data repositories, cloud shares etc.).

(d) Network Security: Perhaps the least important domain in perspective as it has become reduced to a carrier of identities and data/information.

(e) SecOps:

i. Security Information & Event Management (SIEM) to include aggregation of all events from all sources, their correlation to discern potential security incidents leveraging AI & ML to reduce human dependence and fatigue, and end-to-end management of security incidents in a scalable and management free (hence SaaS based) and easy to work/learn platform

ii. Security Orchestration & Response (SOAR) to include automation of workflows and remedial actions pursuant to security incidents and investigations

iii. User & Entity Behaviour Analytics (UEBA) to include infusion of user/entity context into security incident management

iv. Threat Intelligence (TI)of the dynamic global threat environment built-into the platform to make it intelligent about and capable of dealing with such threats

(f) I have glossed over Network security — it being a very traditional security domain which has by and large passed hands to IT Ops in the last few decades.

(g) I have also not done justice to critical areas such as Dev-Sec-Ops and Security skills shortage - which are very relevant and somewhat different issues to touch upon.

Re-imagining the Enterprise Security Risk Paradigm in the cloud and Mitigating them Effectively

Traditional enterprise security built had following main characteristics:
1. It was built around two major asset groups - network, and end-point (servers and desktops/laptops).
2. It aspired for defense in depth which constituted Protection, Detection and Response layers for both of the these asset groups. However, the primary focus was on Protection.
3. Application and data security were considerations met by VA/PT in case of apps and encryption and obfuscation in case of structured data. There were no practical technology options for unstructured data for which strong policies were formulated and left for users to comply with.
4. In addition, SIEM and DLP tools were added as tertiary measures with a detection mindset but they were ridden with very high % of false positives, and required a huge army to monitor meaningfully. SIEM solutions gathered security event information focused on the network layer and correlated them to look for security incidents. DLP solutions sat in-line at the enterprise perimeter as also embedded as an agent on end points to look for string matches in traversing unstructured data files. 
5. IAM was an important aspect but typically not within the ambit of enterprise security and deemed too complex to be left with enterprise architects to figure out. Monolith technological solutions were deployed for IAM which covered minuscule of  enterprise apps because of cost as well as due to extensive implementation and operational effort.

Cloud has turned enterprise security around its head:
1. In the cloud, Identity security is the most important aspect to be got right. It must be multi-layered with protection, detection and response capabilities with focus on protection and detection. It should be simple and easy so that cloud can be practical for the enterprise. It also must be cognizant of the dynamic threat landscape so that identity compromise on one part of the cloud should not be relayed to another or from one cloud to another. It must have built-in behavior analytics to discern any already compromised identities to assure a zero trust operational environment. It must work for all clouds, and the same Identity security capability must also scale to the non-cloud world of the enterprise.
2. Cloud based DLP cannot be an after-the-fact detection solution but must be a wholesome enterprise capability distributed across multiple cloud security solutions and engineered into those solutions while integrating with each other to build a holistic enterprise capability. This enterprise DLP capability must also seamlessly cover the non-cloud world of the enterprise including all information repositories anywhere.
3. Cloud based SIEM must address security monitoring and SecOps for all elements in a specific cloud - IaaS to SaaS, as also cover all clouds. It must also integrate seamlessly with the on-prem security and operational infrastructure.
4. Cloud based End-point security must be multi-layered to address known and unknown threats, and must work for on-prem as well. Such end-point security must always be identity aware and user behavior driven.
5. Cloud based Network Security must scale to cover extended networks across multiple clouds, and further extend to or integrate with on-prem network security. They must also be behavior driven.
6. Integrated threat management across all or most of the above security aspects, and empowered with cutting edge threat intelligence should be built into all the cloud security solutions above.
7. AI and ML must be leveraged wherever possible to handle the high volume and velocity of security event information and threat intelligence in the cloud.   

What does this imply:
To address security in the cloud in an effective manner, the erstwhile approach of putting together a patchwork of heterogeneous solutions cannot work or scale. Enterprise Security solutions in the cloud era:
(a) Should be native to the cloud operational platforms and cloud applications as much as possible.
(b) Must be consolidated on one cloud security platform that can cover all clouds and on-prem.
(c) Must be dynamically threat aware with quality threat intelligence to provide an intelligent, integrated and effective enterprise security suite

Confessions of a Serial CISO: Enterprise Security Metrics

As a CISO, I struggled quite a bit to build my security metrics and dashboards. I invested a lot of time/effort, resources and budget on them:

• Read all the four leading books on the subject, and collated the best best-practices
• Considered leveraging reporting dashboards of and/or data from GRC tools, other leading security platforms (SIEM, Vuln mgt, DLP etc)
• Included both technology metrics as well as process and people metrics (HR security, physical security, BCP/DR, risk assessments, audit/compliance findings, change mgt, incidnet mgt etc)
• Deployed my team as well as vendor/partner security teams on building tailored enterprise security dashboards that fed from all the above and rolled up in a couple of layers of reporting that could make sense to middle and higher management including the board

I am not sure if building security metrics for enterprises is any easier now than what I encountered couple of years ago. But some of the areas of challenge are better served now - visualization, integration, and automation:

1. Building customized security metrics was challenging while working on excel, tableau etc. One had to deal with building visualization templates as well as integrating data from multiple sources while the visualization tool itself did not come with any built in security reporting logic.
2. Integrating the reporting from multiple tools/platforms, and adding process/people metric data into it was always a huge challenge.
3. Automating reporting and more importantly downstream action/remediation mostly remained a good to have wish.

On all these fronts, there are a lot of advantages to adopting the Microsoft 365 (M365) Security and Compliance suites, and the Azure Security platform. PowerBI reporting is built into most of these, and are in the horizon for all. So, it becomes quite effortless to build integrated security metrics by aggregating and collating PowerBI reporting from all the tools in M365 and Azure. Further, by plugging-in data into this aggregated Power BI from other third party security solutions, it can become an enterprise level security reporting tool for Msft and all your other key partners. Furthermore, reporting capabilities in Msft 365 and Azure include both usage and security information; so the enterprise security dashboard can be elevated to include usage metrics when required. Of course, there are a lot of details to consider in terms on what reporting is available by default in which workload, what reporting can be turned on, and what is in the roadmap etc. But there is an integrated security (& usage) reporting story waiting to be explored in detail.

Having taken a detailed look at some of these capabilities, I feel confident to report that security reporting capabilities in M365 and Azure are rich and layered. They can be somewhat dispersed and may need a bit of integration to turn them into an enterprise security dashboard. I think it would pay great dividends to unify and integrate all these reporting capabilities which are integral part of M365 and Azure (so no additional burden to TCO); and they help bring great transparency to enterprise risk management besides being excellent props to have a strategic security conversation with senior execs and the Board. They can also be easily drilled down for operational audiences if/when required. 

From my humble learning from CISO tenures and numerous CISO interaction, here are some key considerations to building high quality Enterprise Security Metrics:

• Architecture: Build them right with the following components, and even if some of them are blank for a while - remember, information gaps tell a story as well:
• Modular: They should represent all major security domains (whether one uses ISO 27001, NIST, ISF, PCI-DSS or any other major global/industry standard)
• Hierarchical: There should be multiple layers of details - at least 2, preferably 3 or more. The highest layer would be suitable for executive consumption and lower layers for the lower levels of management. One should be able to dive deep into the data to the level of raw data from the contributing platform where relevant.
• Growing: They should have a means of demonstrating growth in maturity of the Enterprise Security program whether on CMM or any customized maturity level program - which should be elaborately documented.
• Threshold: Each metric should be able to be compared against a known good or expected threshold to indicate basic success and desirable levels of success. This is also connected to the previous aspect of Growth.
• Customized: There should be a way to customize on all the four aspects above - i.e. add/delete/modify a domain, a layer of detail, and a level of maturity.
• User Interface: Make them easy to consume, attractive, intuitive, and help them tell a story to a variety of user groups - Board of Directors, executive leadership, senior management, auditors, operational management, business functions and user cohorts. 

Mega-trends in Enterprise Information Security

The enterprise perimeter has become punctuated with multiple technology and business factors including advent of mobility and connected devices (BYOD, and IoT), adoption of cloud technologies and solutions (IaaS, PaaS and SaaS), and proliferation of shadow IT (budgets for technologies managed outside of IT such as for marketing and digital initiatives). Consequently, the enterprise information security mandates and expectations need to be commensurate with these phenomenal changes. There is complete acknowledgement of this need which is being witnessed in the form of some key changes in the component domains of information and cyber security. 

From a strategic perspective, security governance, risk management and compliance have been the key domains - referred to as GRC. Technology platforms in this space have slowly matured over the last decade plus but rarely kept in pace with the needs of an enterprise to evaluate their specific security risks, assess those risks internally and track deployment of risk mitigation measures. Meanwhile, the GRC space itself has been transformed to something which Gartner calls Integrated Risk Management (IRM). Existing GRC technology platforms are no surprise front runners to fulfil this space but we are likely to see a similar lag between the enterprise ask of IRM and why technology platform providers can offer.

On the operational side, two areas have solidified as critical to enterprise information security - Identity & Access Management (IAM) and Security Operations (SOC). 

• IAM got disected to several specialization domains such as Identity Provisioning/Deprovisioning, SSO, Identity Governance & Administration, Access Management & Certification, Privileged Identity Management (PIM) etc and we are seeing a return consolidation of all of these domains back to IAM, and there is considerable possibility and appetite to consider outsourcing of the IAM platforms.
• SOC has been highly outsourced from the beginning  through service offerings called Managed Security Services (MSS) provided by MSSPs (MSS provides) based on two core security platforms - one for logging and correlation of security event logs called Securiry Information and Event Management (SIEM). SIEM, and another for tracking leakage of information called Data Leakage Prevention (DLP). Both platforms have gone through significant metamorphosis over the last decade plus. From pure log collection, to focussed correlation, to a combination of both and inclusion of behavioural analytics, SIEM has been through quite a bit of transition and evolution. DLP has been a monolithic platform to look at data traversing a perimeter whether that of a device or a network, and matching certain criteria that makes such data inappropriate to traverse though that perimeter. With the enterprise boundaries vanishing literally into the cloud, we have had to look at managing data with in the numerous repositories it can get created and stored at, and preventing such data from going across trust boundaries from such repositories. The new class of managed service providers in this space are now said to be providing Managed Detection & Response (MDR) Services.

It is worth examining each of these mega trends above which I will attempt to do in subsequent blogs.

Meanwhile, we are continuing to witness paradigm shifts in enterprise security where pointed capabilities for management of specific security capabilities are being replaced by broad spectrum solutions at scale, and often hosted in the cloud. There is likely to be further consolidation in this space where existing players broaden their scope while large enterprise players traditionally not known for security emerge as key players and new ones emerge in the horizon leap frogging on Artificial Intelligence and Machine Learning.

Information Security enabling Digital Transformation

The domains and practices of Information Security (IS) have certainly matured over the last two decades of their formal existence. ISO 27001/2 instituted in 2005, and revised in 2013, and prior to that BS 7799 published in 1995 date the domain very clearly. However, maturity in the practice of IS has accelerated only in the last decade during which we have witnessed broad acceptance of security as a key pillar of Information Technology (IT). But its only in the last few years that IS has become accepted as a core business concern and cyber risks have risen to become one of the top three risks for business around the world. This period also coincides with the biggest data breaches across business sectors, and the largest global malware attacks of all times. So, it may be assumed that IS has come to prominence due to the visibility created by such large attacks and breaches, but I'd  argue that there was no stopping in the evolution of IS as a key business consideration even without such breaches and attacks. In the last few decades, IS has grown from being mainly a compliance driven function to a key business requirement primarily due the the increasing reliance of modern business on computing, data, and digitization. This digital transformation era has brought to the fore IS risks as significant and sometimes critical risks to the enterprise, and the breaches and attacks we are witnessing are only the manifestation of some these risks into reality.

Security practices have also evolved in these few decades from mostly compliance mandates to more design, engineering, and architecture considerations, and risk management measures. The IS standards and frameworks have for a long time been a broad set of flat controls to be complied with uniformly across the enterprise with a focus on protection. The in recent times, they have evolved to be multi-tiered and risk based with a cyclic paradigm. The NIST Cybersecurity framework in particular covers the entire gamut of security functions - Identify, Protect, Detect, Response, and Recover. Policies and processes have evolved from single layered to multi-layered, independent to inter-dependent, and largely manual to mostly automated.

Security practitioners have evolved from infrastructure specialists with compliance focus to risk managers and business enablers. Security technology companies have also evolved from boutique security firms  such as Symantec to global multinational technology providers who build security into their broader technology solutions meant to support core business, productivity and digital transformation - such as Microsoft. Security technologies have evolved from point security tools with little and tedious integration focusing on the network layer to multi-function solutions designed to be inter-operable, and work as one fabric. For example, the Enterprise Mobility Suite (EMS) from Microsoft provides comprehensive identity, device, and data management/security capabilities while also being designed to work seamlessly with the Microsoft Office 365 and Windows 10 platforms. Security solutions have become integrated and embedded into technology infrastructure fabric; for example Windows 10 comes pre-built with Anti Virus, SPAM protection, Device protection, Credential protection, Advanced threat protection etc.

Security managers, CISOs, infrastructure leaders, architects, CIOs and busienss leaders would need to get involved and examine closely how security should be managed within enterprises in the cloud and mobility era so that they get it right the first time, and procure integrated, scalable, and complementary solutions which complement productivity, provide a secure operating ecosystem to accelerate digital transformation, and enable technology consolidation, and cost containment.

A model for quantified, pragmatic and transparent Cyber Risk Management

Quantifying Risk is on the one hand a tough proposition, but on the other it is very essential to get a firm grip over Risk Management, and obtain stakeholder buy-in. Cyber Risk has emerged as a critical business risk that all entities need to deal with - from enterprises to individuals, from education and research establishments to Governments. 

There are several frameworks that suggest a variety of approaches to Risk Management. The approach enumerated below is a hybrid approach borrowing from several frameworks with a focus on quantification of risk measurement and risk management. I have had the opportunity to witness it in practice in Operational Risk Management domains including Cyber Risk. The approach encompasses quantification of risk at all steps in an end-to-end Risk Management Lifecycle - from inherent risk  to residual risk to risk acceptance, transfer and mitigation.

A: Risk Heat Map:
The following steps enumerate the process of assessing risks with a view to create a risk heat-map.
1. Create a Risk Inventory: Build an inventory of risk outcomes applicable to the specific entity being assessed by considering all types of assets, their inherent vulnerabilities, and the relevant threat vectors and actors which can exploit those vulnerabilities. Given here is a list of Cyber Risks:

2. Compute Inherent Risk: Evaluate impact and ‎likelihood of each risk; compute inherent risk severity for all risks (4 to 1 - Critical, High, Med, Low) by compounding their Impact and Likelihood.

 3. Build Risk Heat-map: Develop a risk heat-map by plotting risks across two axes - Impact and Likelihood..

B: Risk-Control Matrix (RCM): 

1. Map all risks to the corresponding and relevant controls

C: Inherent Risk:

1. Define levels of effectiveness for all controls (1 to 4 - completely effective, mostly effective, not effective, not present)

2. For all instances where risks map to controls in the RCM, multiply the risk severity level (values 1 to 4 - critical, high, medium, low), and the level of control effectiveness required to mitigate the risk (default value of 4)

4. Add up all the numbers and that score represents inherent risk

D: Control ‎Effectiveness Evaluations:

1. Evaluate all controls and score them as per their current level of control effectiveness (generic definitions of all four levels to be drafted,and current state compared to generic definition - default is 1 unless demonstrated otherwise )

E: Residual Risk:

1. For all instances where risks map to controls, multiply the risk severity level number and the current level of control effectiveness 

2. . Add up all the numbers and this score represents current residual risk

3. Compute the % of current residual risk against inherent risk

F. Target State:

1. For all instances where risks map to controls, multiply the risk severity level number and the matching level of control effectiveness; if risk is critical (R=4), the control effectiveness must be completely effective (C=1), and similarly if risk is high(R=3), the control effectiveness must be mostly effective (C=2) 

2. Add up all the numbers and this score represents target residual risk

3. Compute the % of target residual risk against inherent risk

G. Risk Mitigation Road-map:

1. Compute the differential of average control rating per security domain/category

2. Organize the security domains/categories in order from highest to lowest differential

3. Set thresholds of differentials to high, medium, and low categories

4. Map security domains/categories to corresponding risk mitigation  ‎projects in order of priority from high to low

5. Assign the current to target residual risk % differential ‎proportionately between high(50% of differential), medium (30%), and low (20%) category projects, and further divide it equally among the projects within the categories

6. As the projects complete, the target residual risk will be achieved

Developing a common understanding of Cybersecurity

1.      Introduction

1.1       Semantics often come in the way of common understanding. The impact of semantic confusion can be extreme when the subject under consideration is critical to business. Cybersecurity has been in use to mean a wide variety of things in recent times; there is even dichotomy in the term itself – it is also referred to as Cyber Security (I have adopted Cybersecurity over Cyber Security for reasons explained in section 4 of this document). Whatever the interpretation, it is concurred by all concerned that Cybersecurity matters pose significant risks to Governments, to industry sectors and to the general public. An entire industry itself has sprung to meet the perceived need around managing these risks and is valued over $160 Billion ^[1]. There is also consensus that Cybersecurity is closely related to domain of Information Security ^[2]. Hence, professionals working in the domains of Information Security need to develop a good understanding to fulfil their mandates.

 

1.2       Being a practicing Information Security professional myself, I have faced the same challenges myself and tried to develop a clear firsthand understanding of Cybersecurity. Through this paper, I have made an attempt to capture a brief summary of the same.

2.      Origins of ‘Cyber’

2.1       The word ‘Cyber’ has Greek roots roughly meaning one who guides a boat, such as a pilot or rudder operator. Plato adapted this word to mean something like ‘governance’ and associated it with Government control as the Governments steer society. In the twentieth century, American mathematician and philosopher Norbert Wiener foresaw the rise of sophisticated robots which would need artificial intelligence to control their actions. Wiener coined the word ‘cybernetics’ borrowing from Greek roots to mean such intelligent controllers and indicated that they would be difficult to design and build. So Weiner retained the connection between technological control and governance. Speculative fiction novelist William Gibson foresaw the ‘space’ of virtual interactions in his 1984 novel ‘Neuromancer’ and coined this as ‘Cyberspace’ borrowing ‘Cyber’ from Wiener. Many adopters of the early Internet were fans of Gibson’s work, so cyberspace became a standard name for the place you went when you were on the Internet. Gibson’s usage however reversed the context of governance in the word cyber as Internet inherently is not amenable to central control systems.

 

2.2       Meanwhile, security experts had already settled on the term ‘Information Security’ to mean securing of information and digital systems, and it was considered synonymous to ‘Computer Security’ and ‘Network Security’. The British Standards Institute (BSI) published the first set of standards around Information Security, namely BS 7799 ^[3] in 1995, which were later incorporated into the global standards from International Organization for Standardization (ISO), namely the ISO 27000. The current standards of Information Security are ISO/IEC 27001-2 ^[4] updated in 2013.

 

2.3       It is interesting how ‘Cybersecurity’ got mindshare when we already had another useful term ‘Information Security’ for the same thing. There is no clear research establishing this, but it is attributable to combination of military influence, marketing hype and societal acceptance. As digital technology became vital for business and Governments, the military started preparing to defend national interests around this area. Conventional military thinking being around defense and attack of some kind of space – terrain, aero-space etc., cyberspace became a handy reference to the digital domain. Hence, securing cyberspace became cybersecurity; and besides a lot of defense measures, it also came with some offence measures as well. The term Cyber has found easier acceptance with media and through it with the wider society. While Information Security sounded formal and demanded deeper understanding of technology aspects, Cybersecurity connected well with science fiction, and popular imagination as it struck a chord with business leaders and industry experts in the increasingly digital global commerce. No surprise then that the accepted semantics was quick to overflow into other areas - cyber criminals, cyber attacks, cyber war, cyber defence, cyber diplomacy etc.

 

2.4       Interestingly, with leading global Governments increasing their Cybersecurity capabilities, designed to exert control and exercise governance on Cyberspace, we have come full circle as regards the meaning of ‘Cyber’ to Wiener’s vision of technocratic control, and Plato’s vision of Government control.

3.      Searching for a reliable definition of ‘Cybersecurity’

3.1       Having understood the origin of the term, it is essential to get an understanding of the term itself. There are quite a few close variations in the meaning and scope of Cybersecurity, and there are some outliers. I have summarized them in the succeeding paragraphs and in the end provided recommendations that Information Security professionals may like to consider.

 

3.2       Dictionary Meaning: A prominent online dictionary defines it as ‘measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack ^[5] .

 

3.3       General understanding in Computer Security communities: Security aspects have always lagged behind functionality in the world of computing. This has been an oft repeated sequence at all stages of the Information Technology revolution – be it mainframes, PCs, Internet, cloud, mobile, social media or cyber. However, the time lag between the two has been narrowing with each stage of technology advancement. Computer security ^[6] or IT Security has come to be known as a discipline applied to computing devices such as computers and smartphones, as well as computer networks such as private and public networks, as also the Internet. It includes ‘all processes and tools by which digital equipment, the information they contain and services provided using them are protected from unintended or unauthorized access, change or destruction’. Computer security has grown in importance due to the increasing reliance of computer systems in most societies. It includes physical security to prevent theft of equipment and information security to protect the data on that equipment. In recent times, ‘Cybersecurity’ is often referred to synonymously as Computer Security.

 

3.4       Views from Technology Media: Few leading technology publishers have tried to define Cybersecurity:

3.4.1 Tech Target: ‘The body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, the term security implies Cybersecurity. ^[7]
3.4.2 Techopedia: ‘Preventative methods to protect information from being stolen, compromised or attacked in some other way. It requires an understanding of potential information threats, such as viruses and other malicious code.’^[8]

 

3.4       Definition by Industry Sectors: The International Telecommunication Union (ITU) defines Cybersecurity ^[9] as ‘the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets.’ Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment.

 

3.5       Definition by Govt.: NIST defines ^[10] Cyberspace as a global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. A cyber attack is defined as an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information. Consequently, Cybersecurity is defined as ‘the ability to protect or defend the use of cyberspace from cyber attacks.’

 

3.6       Definition by Research Firms: In June 2013, Gartner acknowledged that there is confusion in the market over how the term should be used, and published a research paper to defining ‘Cybersecurity’ ^[11] .

3.6.1 Analysts Andrew Walls, Earl Perkins and Juergen Weiss wrote that “use of the term ‘Cybersecurity’ as a synonym for information security or IT security confuses customers and security practitioners, and obscures critical differences between these disciplines.” To help set the record straight, the team defined the term: ‘Cybersecurity encompasses a broad range of practices, tools and concepts related closely to those of information and operational technology security. Cybersecurity is distinctive in its inclusion of the offensive use of information technology to attack adversaries.’

 

3.6.2 The paper clarified that ‘Cybersecurity is a superset of the practices embodied in IT security, information security, Operational Technology (OT) security and offensive security’ and provided an illustration to underline this.

 

3.6.2 Gartner advised: ‘Security leaders should use the term ‘Cybersecurity’ to designate only security practices related to the combination of offensive and defensive actions involving or relying upon information technology and/or operational technology environments and systems.’

3.7       Recommendations: The Gartner definition encompasses in spirit all the preceding definitions suggested by industry bodies, professional organizations and Government. It also clearly outlines the components of Cybersecurity and sets them in context with an illustration. However, it underlines an offensive element which may not apply to entities other than Government organizations with specific authorized mandates. Moreover, employment of such measures would amount to infringement of law in most parts of the democratic world. So, for understanding and implementation of Cybersecurity measures at an enterprise or entity level other than such Government organizations, the Gartner model is very suitable; however, it needs to be applied minus the offensive security measures. This does not alter the definition of Cybersecurity as such; rather it limits applicability or scope of Cybersecurity for enterprises. 

 

4.      Is it Cybersecurity or Cyber Security?

4.1       In addition to the multiple definitions of Cybersecurity, we also need to consider the different ways of referring to the term itself - ‘Cybersecurity’ or ‘Cyber Security’ ^[12]. These terms are getting more and more mixed usage lately. There isn't any recognized authority on the subject per se, but we could take guidance from the Associated Press, which still holds the throne when it comes to news copy style, says it is one word – Cybersecurity: ‘Cyberspace is a term popularized by William Gibson in the novel "Neuromancer" to refer to the digital world of computer networks. It has spawned numerous words with cyber- prefixes, but try to avoid most of these coinages. When the combining form is used, follow the general rule for prefixes and do not use a hyphen: cyberattack, cyberbullying, cybercafe, Cybersecurity.’ There are some exceptions to the prefix rule, specifically around proper nouns, such as ‘US Cyber Command.’ Besides Associated Press, most of the credible sources quoted in section 3 above use the single-word form.

5.      Staying clear of the hype around Cybersecurity

5.1       There are a few in the research community who have held out against painting everything cyber, although their ranks are thinning due to the growing global acceptance of the term from Governments, industries and even public in general. Gartner VP and distinguished analyst, John Girard is urging enterprises to ignore the hype around cyber security spending and look at areas of their business that need protection ^[13]. He adds that a lot of the activities labelled cyber security are not only not new but could also be dangerous practices that should not be followed. Girard suggests that executives need to question the use of Cybersecurity budgets before making decisions on the subject as according to him, a lot of security vendors and practices in cyber security tend to work the same way.

 

5.2       Girard recommends that enterprises should engage in spending on core operational and procedural security rather than investing lots of money in zero-day vulnerabilities, and country watching, and sinking huge budgets to deal with advanced threats. He advised enterprises to concentrate on core infrastructure security, application security and security processes.

 

6.      Conclusion

6.1       I echo Girard’s sentiments as Security Management is a function with which come expectations of very high trust and it is belied by such hype. I can see a connection between the hype and the offensive element in the definition of Cybersecurity. Thus, by discarding the offensive element from the definition of Cybersecurity, enterprises can avoid the associated hype as well.

 

6.2       Something is common to all enterprises – the need to understand their business, document critical information infrastructure, and deploy multi layered protection measures to provide a tiered set of preventive, detective and corrective controls which define their information security and OT Security framework. While doing so, a risk based approach is an absolute must where residual risks, risk mitigation road map and risk appetite should be clearly understood by security leadership and articulated to executive leadership. There is no room here for hype while developing this understanding, making recommendations for risk mitigation, and taking executive decisions.

 

6.3       Offensive measures are out of scope for enterprises being violations of law. However, enterprises in some critical sectors may need to establish tight partnerships with suitable Government establishments to report cyberattacks and the concerned Government establishment may have the mandate for retaliatory or offensive measures.

 

References:

http://passcode.csmonitor.com/goldrush

http://en.wikipedia.org/wiki/Information_security

http://en.wikipedia.org/wiki/BS_7799

http://www.iso.org/iso/home/standards/management-standards/iso27001.htm

http://www.merriam-webster.com/dictionary/Cybersecurity

http://en.wikipedia.org/wiki/Computer_security

http://whatis.techtarget.com/definition/Cybersecurity

http://www.techopedia.com/definition/24747/Cybersecurity

http://www.itu.int/en/ITU-T/studygroups/com17/Pages/Cybersecurity.aspx

http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf

https://www.gartner.com/doc/2510116?ref=unauthreader

http://infosecisland.com/blogview/23287-Cybersecurity-vs-Cyber-Security-When-Why-and-How-to-Use-the-Term.html

http://www.computerworld.com.au/article/524067/cyber_security_economics_like_ponzi_scheme_gartner/

INFORMATION SECURITY STRATEGY AND MEASURING ITS EFFECTIVENESS THROUGH SECURITY METRICS

 

Introduction:

Enterprises have learnt to give Information Security (IS) the wide berth it deserves. However, the realization has not come any sooner. It has perhaps been accorded a little later in the day than it ought to have been. However, there is still the opportunity to make good the delay by adopting a pro-active and holistic approach while creating, maintaining and augmenting an Enterprise Information Security (EIS) program.  Key aspects of such a program are:

·         Formulating a customised EIS strategy and road map.

·         Its effective implementation in an integrated manner.

·         Measuring effectiveness through customised EIS metrics.

 

Plethora of technology platforms, voluminous processes and significant numbers of people are available and deployed in implementation of security programs in enterprises, while scant attention is paid to the other two elements of the spectrum. This paper focusses on the latter.

 

Security strategy and metrics go hand in hand, and both are very dynamic in nature owing to changing business requirements and threat landscape. Hence, there is a need to understand their dependence and symbiotic nature, from creation of the respective programs, to their execution and continuous improvement. It is also pertinent to note that EIS metrics is a facet of EIS strategy. Thus, although it is possible to create an EIS metrics program independently, it is best practised with an eye on the big picture and created as an indispensable part of a dynamic EIS strategy.

 

Why:

EIS strategy is of paramount importance to align the EIS program with enterprise business objectives and provide the necessary return on investments (RoI). In the absence of an EIS strategy, the program can flounder and would not be positioned to deliver the results that are expected of it; also there would be no accountability of the program, hence no productivity.

 

There are multiple reasons for measuring EIS metrics:

·         EIS metrics are vital to demonstrate EIS program effectiveness, provide accountability, justify past investments and seek future investments, and instil stakeholder confidence/assurance.

·         Federal agencies in US are mandated by a number of existing laws, and regulations such as Clinger-Cohen Act, Government Performance and Results Act (GPRA), Government Paperwork Elimination Act (GPEA), and Federal Information Security Management Act (FISMA) to undertake IT performance measurement in general, and IT security performance measurement in particular. IT Security metrics are a core component of EIS metrics.

·         Similar regulatory regimes are prevalent in most developed and developing economies globally.

  

How:

EIS strategy should be simple. It should take into account the industry sector, the size or revenue of the enterprise, its risk appetite, the business model and its unique business objectives or goals.

 

EIS metrics should be practical, standardised and scalable. They should evaluate security at the system level, and facilitate decision making as also aggregate all operational level metrics to produce dashboards at the enterprise level and business unit and/or geographical entity level. EIS metrics should also provide relevant trends over time; help track performance and direct resources to initiate performance improvement.

 

Development Process:

EIS strategy development process consists of following generic activities which would require to be customised for individual enterprises:

·         Enumeration of business objectives.

·         Identification of EIS drivers – Legal, Regulatory, Financial, Operational etc.

·         Stock taking of the current EIS program, if any.

·         Creation of a risk based and business aligned EIS program including:

o   IS Roles and responsibilities (both within IS as also outside of it)

o   IS Organization structure

o   IS Governance framework

o   IS Risk Assessment methodology and framework

o   IS Controls and Assessment framework

o   IS Architecture framework

o   IS Operations framework

o   Outline roadmap including major projects and initiatives

o   EIS Metrics framework

 

EIS metrics development process consists of following generic activities which would require to be customised for individual enterprises:

·         Definition/documentation of the current EIS program

·         Selection and development of metrics to measure implementation, efficiency, effectiveness, and impact of the EIS program

 

Detailed Considerations for EIS Strategy:

EIS strategy should be aligned to business strategy and corporate vision. It must leverage all existing strengths, tools, processes, people and frameworks of the enterprise. It should spell out the security organization structure, roles and responsibilities, catalogue of services provided, road map of security programs, projects, and initiatives, and define customised security policies/standards/procedures. It must work out the cross-functional collaboration framework and touch points with complimentary functions including Enterprise Risk Management, Compliance, Legal, BCP, DR, Privacy, Information Management, HR, IT Operations, and Physical Security etc.

 

Detailed Considerations for EIS Metrics:

EIS metrics should reflect security program maturity (status of all programs, projects, and initiatives) as also security control effectiveness (compliance to policies, standards and procedures). Both data types should be processed through a customized framework aligned to the risk appetite of the organization and the results of such processing should be demonstrated through multiple dashboards configured around the needs of specific target audiences. Generally, 3 levels should suffice; however, it could be either re-appropriated to two levels in case of smaller enterprises with lesser consumers for such dashboards or increased to additional levels to provide higher levels of granularity in case of large and global enterprises with higher complexity.

 

While adopting a 3 level representation, the highest level should be an overall indicator. The next level should be indicative of the component sub-domains that security has been carved out into for the enterprise, and each sub-domain should get an appropriate weightage with the total adding up to 100%. The sub-domains should be broken down to one more level of metrics which can come from security technology platforms or security processes, and have varying weight contribution to the sub-domain they comprise of. These last level metrics are real data from systems and processes while the above two levels would be abstractions based on this data as per a framework customised for a specific company.

 

Some options for level 1 dashboard are:

·         3 colours (Red/Yellow/Green) or 5

·         % of score out of 100

·         Levels 1 to 3 (or 5)

 

Suggested components of level 2 dashboards are:

·         Governance

·         Risk

·         Compliance

·         Architecture

·         Operations

 

Suggested components of level 3 dashboard with types of operational metrics for each are:

·         Asset Management metrics

·         Communication Security Metrics

·         Perimeter Security Metrics

·         End Point Security Metrics

·         Application Security metrics

·         Identity & Access Management metrics

·         Access Control metrics

·         Vulnerability Management metrics

·         Patch Management metrics

·         Malware Management metrics

·         Change Management metrics

·         Incident Management metrics

·         Business Continuity and Disaster Recovery metrics

 

Each of the suggested operational metrics domains comprise of multiple metrics elements and each applicable element need to be customised for a specific enterprise. Also, the list above does not cater to GRC metrics which need to be configured for an enterprise in a customised manner based on its EIS strategy and implementation roadmap.

 

Conclusion:

The above considerations are not sacrosanct or sequential. Rather, they provide a framework for envisioning EIS metrics, and their appropriate customization for a specific enterprise. The type of operational metrics depends on the status of enterprise processes and supporting technology platforms, as also evolution of the EIS program and its stage in the maturity life cycle.