This series, What is Cybersecurity?, outlines the basic tenets of how the three areas of the cybersecurity triangle may be implemented by an organization. The cybersecurity triangle (people, process, technology) has been the focus of the series, as it provides an easy, understandable framework for discussing what comprises cybersecurity and the areas of concentration to focus cybersecurity programs. While it is always nice to have a picture of what things are supposed to look like, these puzzle pieces are not always the easiest to put together. A large portion of this puzzle is perfect, blue sky—almost impossible to piece together!
In Part 2 we discussed why and how people matter in cybersecurity. We discussed the realities of why dedicated cybersecurity personnel are needed for an effective cybersecurity program. The key aspect of Part 2 was the basic tenet that cybersecurity people are extremely important, as cybersecurity is not an automated playing field, but an environment of people against people. So far, and hopefully not any time soon, no malicious piece of code has been written solely by a computer program.
So how do these expert cybersecurity personnel do their jobs? It is process, process, and process!
I Hate Paperwork
The first thought which goes through most cybersecurity professionals’ minds when process is mentioned is “I hate paperwork.” This is understandable because paperwork is not reviewing logs or mining data or developing rules to defeat the bad guys. Every cybersecurity professional, especially the defenders, thinks of themselves as the good guys and everyone else as the bad guys. It is only natural for this dichotomy to exist and usually places the cybersecurity professionals in the right frame of mind. If there isn’t some ownership of the defense, then it may not be that important to protect properly. It is human nature.
When paperwork is discussed, it has the same effect as turning on the lights in a room and all of the shy elements scurry to the dark corners. The excitement level is greatly reduced when we start thinking of paperwork. Yet what paperwork provides a cybersecurity program is invaluable.
For those of you who have read the first two parts of this series, you’ve seen by now that I am not saying anything people don’t already know. There is no point in reinventing the wheel. Plenty of brilliant minds have looked at cybersecurity and the basic tenets do not change. This is why I have been discussing the cybersecurity triangle. But, this does not mean people automatically do what they need to do to achieve success.
Cybersecurity is a rather broad term which covers a wide range of fields. From the basic Incident Response capabilities to Network Defense strategies and Advanced Heuristic analysis, the cybersecurity field leverages multiple specialties and experiences. Because of this diverse set of skill sets, it is imperative for an organization to document its cybersecurity processes to ensure the long-term viability of its program. This does not mean an organization develops processes, holds multiple review and approval rounds with an anonymous Vice President (or another person whose responsibilities include “some computer security thing”), and then places them in a binder on a shelf to collect dust. Or even worse, uses those processes and continues to use them 15 years later. A system must be enacted where processes are reviewed on a periodic basis and updated as necessary. While technology isn’t changing as fast as it did in the late 90s or early 2000s, it does change and those who fail to adapt will leave themselves open for potential operational issues when the ship starts to go down.
Every cybersecurity professional, especially the defenders, thinks of themselves as the good guys and everyone else as the bad guys. It is only natural for this dichotomy to exist and usually places the cybersecurity professionals in the right frame of mind. If there isn’t some ownership of the defense, then it may not be that important to protect properly.
In a doomsday scenario, I would hate for you to think that process would keep the end of the world from happening. Instead, processes can be used to streamline reactions to events and give a solid foundation to all aspects of the organization when dealing with events that may cause undue stress. One of the greatest benefits of established processes is giving personnel who may not be as experienced a reference point to use while learning their jobs. This only enhances the ability of your operations by showing what needs to be done and even sometimes how to do it.
Processes are not always the easiest to work on and it takes effort and time to properly develop processes that function and make sense in your operational environment. However, the expense is worth the investment when you see how cybersecurity personnel become more efficient and better capable to handle situations when they have the basic foundation upon which to build. There is never a single shot resolution with cybersecurity, but there is a way to put the puzzle together which gives the defense the best shot at winning.
Photo Credit: Jared Tarbell