Cybersecurity Strategy – Organise to Operate
Black Hat is an awesome event! For those of you who do not know what Black Hat is, I suggest having a look at the website here (https://www.blackhat.com/). Not that I want to direct you away from this article but there are some great resources they provide for those who cannot get to the live events – for free! For those who can’t be bothered reading the link Black Hat is for the more techie-minded in the world of Cybersecurity. It’s a great event and there are some great talks, training opportunities, and the ability to completely refresh your T-Shirt collection for another year! For me, I particularly enjoy hearing from the founder. Jeff Moss. In one of his introductions to a Keynote speaker (Amanda Rousseau AKA Malware Unicorn), he spoke about the principle of being “organised to operate“. A principle that is fundamental to developing an effective cybersecurity strategy. Here’s why…
Cybersecurity Strategy – Origin Story…
The concept “organised to operate” was attributed by Jeff Moss to General Michael Hayden. General Hayden, now retired, had a distinguished career in the US Military Intelligence and has held the roles of Director of the CIA and Director of the NSA. Hayden currently co-chairs the Bipartisan Policy Center‘s Electric Grid Cybersecurity Initiative. General Hayden has also written two books “Playing to the Edge: American Intelligence in the Age of Terror” and “The Assault on Intelligence: American National Security in an Age of Lies” which are well worth a look. I actually had the pleasure of meeting General Hayden just over 10 years ago and he seemed like a very nice chap! In short, he knows about cybersecurity strategy so it’s worth listening to what he says on the topic!
So what is “organised to operate” and how does it fit in with Cybersecurity Strategy? Essentially:
“If you want to operate effectively, you need to be effectively (& appropriately) organised for the task at hand”
What Jeff alluded to at Black Hat is that organisations are far too busy organising themselves to operate as compliance shops, and I’m inclined to agree that this is the case in a lot of organisations. Banks may want to tick boxes for Regulators, Vendors may want to tick boxes for the businesses they supply, Retailers may want to tick the box that they “take protecting your privacy seriously“. As someone who has conducted more third party risk reviews that I can remember, I have seen the box-ticking mentality so many times and, as much as it pains me to say it, anecdotally, it’s more common in organisations who with ISO 27001 certificates. I don’t know why this is, but having a compliant management system with lots of documentation seems to become all-consuming. Sadly, what gets lost is the premise that securing the organisation is the core objective! Now to caveat the above, I am a strong advocate of ISO standards. It is how an organisation implements and maintains its ISMS that is of concern. If more organisations took on board General Hayden’s organise to operate principles when developing their cybersecurity strategy, it’s highly likely the result would be a more secure world!
So how do you organise to operate? Basically, there are three high-level components to being organised to operate: 1. Be involved in the solutions; 2. Engage with the enemy and; my personal favourite, 3. Everyone has a plan until they get punched in the face! let’s have a look at how they are essential components of a cybersecurity strategy.
Be involved in the solutions
A CISO will not have an effective cybersecurity strategy simply by listening to vendors tell them they have the silver bullet solution to all their woes. The CISO must be involved in architecting a holistic cybersecurity programme. Before identifying those potential solutions the CISO must determine what the problems they are trying to solve. Solutions must be fit for purpose too. It’s no good getting the budget for a shiny new SIEM tool if you don’t have the human resources to operate the tool. It’s no good signing up to a three year managed service for a SOC if you don’t actually know what you’re going to get for your money. An effective CISO will do her research, work with the business, develop requirements and be involved at every stage of the solution implementation process. That doesn’t mean they need to do all this work themselves (although in small teams they may not have a choice) but it does mean the CISO knows what is going on and is not being led by vendors promising the world. CISOs also need to have a handle on how much things should cost and how to calculate the security ROI of their security procurement. Just because you may currently be benefiting from a massive budget doesn’t mean that will always be there – every penny must count! As a CISO, every once in a while, ask yourself:
“What is my involvement in our Cybersecurity programme? Am I leading or being led?”
Engage with the enemy
Whilst some may see engaging with the enemy as attending vendor-sponsored dinners or sports events where salespeople try to schmooze you to sell you stuff, what is mean by engaging with the enemy is engaging with the actual enemy. Those trying to break into your network to steal data or cause havoc and disruption. So how does the average CISO engage with such an enemy?
Engaging with the enemy doesn’t need to involve covertly lurking on deep-web hacking forums, trying to pass yourself off as a wannabe hacker (you’ll probably get found out very quickly Mr ahem Bond). What it can mean however is using resources such as the MITRE ATT&CK framework to better understand the Tools, Techniques & Procedures (TTPs) of the adversaries who may be attacking your infrastructure. Go to events such as DEFCON (non-Corporate) and Black Hat (Corporate) or Troopers (Germany) and learn from others. Engage indirectly by studying data breaches in other organisations. How did the adversary get into your competitor’s infrastructure? The key takeaway is to learn, challenge your assumptions (stop kidding yourself that you’re fully secure) and be ready to respond with a solid, well-rehearsed incident management plan.
Everyone has a plan until they get punched in the face!
The other way this is often phrased is
“No plan survives first contact with the enemy”
It’s so true. Why? Well because all plans are based on assumptions, forecasts, probabilities and current knowledge. We think the enemy will come at us with a car bomb at street level, so we prepare for that, completely unaware they are about to fly planes into the sides of skyscrapers. We, therefore, lock down the airports, increase surveillance, go to war. The enemy changes tactics and adopts a more lo-tech strategy of ploughing through crowds with a van rental and knives taped to their arms so they can’t be wrestled away. Whilst the above examples are intentionally visceral, it’s still the same principles we need to apply when creating our cybersecurity strategy:
“Flexibility & Resilience”
CISO’s cybersecurity strategy must not be intransigent. The world changes and you will need to adapt. Creating a cybersecurity strategy that is adaptable will mean a CISO can reorganise to operate in a changing threat environment. Those threats could be external but could also be internal (E.g. Loss of budget, Loss of Capability, Loss of Critical Resources). The CISO also needs to develop a cybersecurity strategy that engenders resilience. It’s analogous to having an iron jaw. It doesn’t matter how many times the organisation gets punched in the face, they can take it because they have architected resilience into their infrastructure. It’s worth noting this cannot be done in isolation within technology. Organisations must make their business processes resilient in a holistic manner. People, Locations, Assets, Supply Chain as all components of our business processes and they all need resilience baked in to avoid the weakness akin to a glass jaw.
Is your Cybersecurity Strategy organising you to operate?
Hopefully, you, the reader, are the kind of CISO who aspires to be organised to operate in your industry’s threat landscape. If you think you already are [organised], then you’re probably not. There is probably never a time where any CISO will reach the zenith of perfection, where every foe can be vanquished swiftly and without impact but with a solid, flexible and resilient cybersecurity strategy, continued engagement with the enemy and a focus on risk-based decision-making over tick-box compliance, you just might stand a chance in keeping your organisation secure.
About The Author
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy. Stephen has worked in the information security risk, business continuity and data protection world for nearly 20 years. Stephen has delivered complex security programmes across defence, real estate and financial services. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both paperback and Kindle eBook.
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301 22301:2019 27001:2013 article 25 awareness bcms breach change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPIA DPO DSAR GDPR incident management information security leadership management Outsourced DPO Privacy processor resilience risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools transparency vciso virtual ciso vulnerability scanning