So that’s kind of a whistle-stop tour of cyber security. It is a mile wide and an inch or two deep, but hopefully gives you an idea of what to work towards when trying to build a cyber security capability and what you need to consider when planning this out. There is a lot of work involved and a logical flow of how you get there. You will need to go back and forth in your thinking as it’s hard to get it nailed on first pass.
The assessment of current capability and posture, along with the planning phase are a significant investment, but absolutely vital in formulating a vision and strategy for the future of your security regime. This will allow you to take stock and have a true understanding of your current position and which blocks are required and in which order to facilitate your future vision.
Your strategy and business case are arguably your most important steps, as without them you won’t get off the ground. You need to get senior buy-in and a lackadaisical business case can lose that in seconds. You need to be honest about where you are and where you want to get to and how you can actually deliver a programme to get there. Do bear in mind that cyber is somewhat of a moving beast, so you cannot prescribe to the nth degree, but what you must do is have a coherent framework for how you develop the building blocks for your capability. Both of these though are built out of the previous steps in understanding your current capabilities, regimes, effectiveness, gaps etc.
This strategy and subsequent business case needs to translate complex ideas and themes into a business language that will be understood by people who generally have no idea what cyber security is. It must also set expectations in terms of how long it will take and the return value increase over time and delivery.
Consider the full gambit from hygiene foundations, team construct, recruitment and retention, up-skilling, tradecraft and intelligence development, environment, tooling and infrastructure and build these into both the strategy and complimentary business case, all the while keeping touch with the overarching business vision.
Data is huge! It is the key to unlocking your potential. The more you can gather and exploit data the more you will understand about your actual threats and the effectiveness of your controls in mitigating, or detecting these threats. Do not underestimate the power of data, but do not just ‘do data’ because everyone says to do data. You want to exploit it for a purpose, make sure you do not stray from that vision.
Given all the references to Mitre Making Security Measurable items such as CVE, CWE, CAPAC, STIX, TAXII, CYBOX, etc. it’s worth taking the time to understand that the goal is to be familiar with these common language and community developed efforts. Sometimes organisations will look at them just as XML languages and think how complex it might be to implement rather than thinking about these already being implemented in COTS technologies that could be phased into the baseline over time as resources become available. It’s good to have a technology roadmap that shows how you might plan to migrate to security technology that supports these community developed formats vice individual security company proprietary formats. Obviously, if you are contracting out items like security assessments or penetration testing you should include in the statement of work (SOW) for results to be mapped to and/or in these standardised formats.
If your future plans include the desire to apply data science to your cyber security problems it is worth having a plan to adopt standardised languages and formats like those from Mitre’s web site, that were developed through joint industry, academia and government collaboration. Keep in mind that most data scientists will initially spend 50 – 75% of their time just trying to get the data they need into usable formats before they can actually apply data science techniques. So having a plan to make your security standardised and machine readable will save you money in the long run when you are ready for advanced analytics.
If you’re struggling with some of the concepts, go and speak to experts. Real experts! They will talk to you and share their journeys and you will learn more from them than you ever will from expensive consultancy or vendors. Don’t believe the hype and myths; judge content from commentary by the experience of the person commentating and the content of the commentary itself. If it’s just theory with no practical value then don’t waste your time with it. If there is something that you can take away, consider and apply then fill your boots, and if you don’t understand some of it ask them!
The more you understand the more you will be able to pick out the buzzwords and marketing spiel and uncover the substance and depth, or lack thereof.
Remember everyone is an expert these days, but when you scratch the surface you will quickly discover who the true experts are, and they are the ones to listen to and learn from.