The purpose of the information security function is to protect the business and its brand from cyber threats.
Why this book
I have been working in the Information Security field for over 20 years, having been the Chief Information Security Officer (CISO) for organizations ranging from FICO, to TransUnion, PricewaterhouseCoopers, and D+H, as well as building/leading cybersecurity consulting organizations delivering security, risk, privacy, & strategy services to clients around the world, to currently working as an independent cybersecurity consultant. From this experience across multiple companies and from sitting on both sides of the desk, I have developed a perspective on what works, and more often what does not work, in building effective information security programs. From this, I believe the heart of the problem of the continual breaches in the news is how risk is understood, and how it is (mis)applied in prioritizing action.
Over my security career, the regulations and frameworks for information security controls and programs have evolved extensively. The Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule was probably the earliest broadly applied cyber regulation (the final rule was published in 2002), being applicable to all financial institutions under the jurisdiction of the Federal Trade Commission (FTC). This regulation required each financial institution to develop a written information security program appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue. More important, the regulation required that institutions identify reasonably foreseeable risks and assess the effectiveness of any existing safeguards for controlling these risks – with the unstated expectation I expect that companies should focus their efforts on strengthening the weakest safeguards.
This understanding, that companies cannot do everything and that they should focus their efforts on the risks that are most applicable to their organization, has continued as security frameworks such as the National Institute of Standards and Technology’s (NIST) 800 series or the International Standards Organization’s (ISO) 27000 series have developed. Both of these frameworks with their associated standards make extensive reference to the need to assess the risk to the organization and correspondingly focus attention on the weakest areas.
As standards and controls have grown more complex, and the control requirements more prescriptive, this is where the train has run off the tracks. The concept of risk, never well understood in my view in the security community, has become equated more often than not with an organization’s maturity relative to the control requirements specified by a published framework such as the NIST Cybersecurity Framework (CSF), the ISO 27001/27002 controls, or the NIST 800 series of controls.
These frameworks encompass hundreds of technical and process controls requirements, and the end result is that all too often I have seen organizations fall into one of three traps: 1) analysis paralysis, 2) attempting to boil the ocean, or 3) misdirected mitigation. I believe that the escalating drumbeat of breach notifications in the news, in organizations both global in scope and the store next door, are directly attributable to these failures.
Analysis paralysis is the failure to take effective action to address risk due to being “stuck” in a state of near constant analysis of the current state of the organization – quantitative risk analysis lends itself to feeding this problem. Boiling the ocean occurs when an organization, after conducting a framework maturity assessment, decides that the best way to protect the organization is to achieve full maturity across all controls that it is deficient in. And finally, misdirect mitigation occurs when an organization applies its limited funding and resource on strengthening controls that are not impactful to the greatest threats facing the organization but instead are easier and/or cheaper to implement.
In this book I will discuss how I believe organizations of all sizes can best make use of their limited resources to address the cyber risks that are most applicable to them (in the original spirit of the GLBA Safeguard rule), and develop a security program that is lean, efficient and more important, understandable to business executives and leadership.
About this book
As I explained above, this book was born out of my frustration seeing the deteriorating state of security across all industries, and how as regulations become more burdensome and technologies, both security and IT, more complex, we continue to dig the hole deeper and make the problems for ourselves worse instead of better.
The concepts behind this book have been developing over my career and have been reflected in articles I have published over the years on Linkedin Pulse. Last year I started to explore the idea of turning these concepts into a book, but after discussions with a publisher was frustrated by their expectations that the book must be of a particular size and word count in order to justify the high price they planned to sell it at and that they expected me to basically be on a constant road tour to promote it.
A – I don’t have the time for this, B – I don’t like saying more than I have to say, and C – I am not doing this to make money, but rather because I believe in the message. Thus was born this online publishing approach.
I will be writing chapters as I have time and will be publishing them as drafts to my Heuristic Security website. As I receive feedback or questions, or I have time to reflect on the contents, I will be editing the chapters online. When at some point in the future that I feel I have said all that I want to say on the topic, I will compile the contents into an ebook and will be making it available for purchase at a low cost on Amazon for anyone who might want a copy.
In the interim, constructive feedback is welcome – just write to me at [email protected]
As a final note, the materials to be presented in this book are not intended to represent the materials or services of any organization that I have worked with or for in the past, but instead are based on publicly available standards, regulations, techniques, and definitions. What is novel is my approach for the application of these standards, regulations and techniques to the problems of cyber risk assessment and management.