The other day, I was having a normal lunch with my friend, where we meet regularly to work on our lock-picking skills in the middle of a restaurant and talk shop. Emphasis on the word “normal.” My friend holds a senior position at a company that was rapidly scaling due to a recent acquisition. He was tasked with the job to hire and fill their first security role.
“What should this job posting entail?” he asked. When I asked what they were looking for, he listed off the many responsibilities of this role, including: internal monitoring, policy creation, risk assessments, physical security, data protection (with a touch of understanding of cloud migration) and most importantly, a specialist in HIPAA compliance for some of their clients.
I call this response, “the limit does not exist.” I mentioned looking into a governance, risk, and compliance analyst role, considering the specificity and burning need on the compliance aspect. This person could both assess their risk posture as it relates to their information, while temporarily designating the technical hardening tasks to their IT unit.
We scrolled through an online example of this role and he said; “Yes, that’s exactly what we need!” I showed him the salary range, both nationwide and specific to our state, and that’s when reality set in. They could not justify that cost; my mistake was not considering their budget initially for this task.
So, we did a mad scientist mockup on a “specialist” position, where the future candidate would soon get the best in-the-trenches experience of their career. Moral of the story: investing in the security is the first step, compromising comes next.
The Issue: Where do I start?
When your board has allocated funds for cybersecurity, the heavy burden of following through with the ‘perfect’ investments in resources now lies on your shoulders. The lunch with my friend brought one question up between the both of us: when it comes to creating your security plan, where do you even start?
When one has a constraining budget, no baseline, defined needs and deadlines, and essentially has to hire the David Blaine of infosec to secure their enterprise, what do you prioritize and how do you pick a strategy?
Security is not about investing purely in shiny tools to turn your infrastructure into Optimus Prime. Security is tactical, focusing on automating, orchestrating, and most importantly, measuring. I like to believe there’s a science to it, and that science includes four essential steps:
1. Measure Your Baseline [ Cost: $ | Third party service or internal auditor’s hourly wage]
Stop checking boxes and ordering nameplates. Security starts with how well you know your enterprise, not yet with filling seats and configuring blinking dashboards. Perform a full security assessment and when I say full, I mean FULL. The truth hurts, but knowing your weaknesses helps prioritize your activities.
{*inserts Sun-Tzu quote here} If you do not have a qualified expert in house, this type of discovery may mean outsourcing the job to a third party. Regardless of your route, the feedback is your most powerful information needed to design your roadmap.
2. Prioritize with Pie [ Cost: $$ |Third party service or internal auditor’s hourly wage over time]
Like pie, we want to create a wholesome and delicious dessert we can predictively re-create and enjoy time after time with minimal recipe modification. Maybe the people eating your pie are vegan or gluten free or allergic to nuts, meaning the pie itself needs to be customized to fit your risk posture and not disrupt business.
This pie is made up of several slices, each slice representing a program. These programs are your identity and access management practice, data protection, endpoint security, risk and compliance, incident management, threat intelligence, third party management, and the list can go on depending on the size of your organization and extent of your business expansion. It’s not overwhelming, just necessary and time consuming. Prioritize your programs and bake that perfect pie.
3. Enhance the P, P, T’s [ Cost: $$$ | investment costs for technology, staffing and hourly wage for internal policy and procedural creation]
Now that your roadmap has been designed, it’s time to augment your programs with the necessary people, processes, and tools for operational success. This type of investment is both in resources, and you guessed it, TIME. During your individual programs’ design phase, perform gap analyses to measure baseline maturity for each slice. Those identified gaps give you a starting point for technology and staffing requirements to include in your budget. Your roadmap shows not only an honest depiction of where you are but empowers you to choose where you want to be.
People, processes, and tools are the bread and butter to any individual security program; whether you choose to outsource these resources or invest internally for independent function, they are still that binding requirement for operations. This is the difference between TRULY investing in cybersecurity versus just negotiating your cyber insurance policy and strengthening your public relations plan alone.
4. Measure again….and again…and again. [ Cost: $ | technology maintenance costs, hourly wages for continued automation and orchestration and analysis]
The baseline has been cemented, the roadmap has been paved, the resources have been allocated for… now what? Metrics are the vital means for efficacy. Each program has key performance indicators attached in order to measure the effectiveness of those resource investments. The ability to translate these data points is also crucial, as they represent your crystal ball.
We dread that time of year when your C-suite is asking for either your IT or security budget, because ideally, we aim to mirror the prior year’s spreadsheet and alter slightly for new positions or tools. With metrics, you can regain confidence in this budget. You can feel as if you just performed heart surgery on a patient, and that patient is able to give a detailed Yelp review of how well you performed. The activity of measuring defines your return on investment and justification for further improvement.
The Opportunity: Evolution
Why should you care about any of this? Because we have a need, not just this industry, but the way we do business. Organizations have perked their ears on the acceptance of cybersecurity being imperative to their operations, but we lack the proper adaptation to how we apply it. We live and breathe frameworks in this field, but we need to address maturation analysis and how understanding our individual performance is the true defender against threats.
My apprenticeship was solidified in NIST 800-53r4 to the point where the framework guidance was like my bedtime lullaby every night. Eventually, we begin to ask the question during our audits, “Do we really do this?” Yes, the policy exists, yes, the IDS is installed, but the lackluster rulesets are default and gathering dust on the wide-open egress it holds. We need confidence. We need strategic approaches. We need evolution.
A rising millennial in the world of cybersecurity, MacKenzie Brown founded The Ms. Grey Hat Organization, a non-profit aimed at empowering more women to enter the field starting with childhood education, with a focus on developing precision ‘black hat’ skills to become a ‘white hat’ professional that can thwart malicious attacks. She authored a three-part Unicorn Extinction blog series – an introspective on women in cybersecurity – for the 2017 RSA Conference. She puts her ‘grey hat’ skills into practice as a research principal at security services firm Optiv, where she helps enterprises around the world assess and optimize threat preparedness.