Protective Security: Applying the lessons from Science.
The American Scientist, Leroy Hood, is quoted as saying:
Leroy Hood, MD, PhD
SVP and Chief Science Officer, Providence;
Chief Strategy Officer, Co-founder and Professor, ISB
Never has this been more important than when designing an effective Protective Security/Information Security/Cyber Security strategy.
As someone who has worked in the security industry for over 32 years and who has been employed in Protective Security/Information Security/Cyber Security since 2002, I've learned the importance of looking at the bigger picture.
If I had a £ or a $ for each time that an organization has ended up suffocating in the weeds of compliance, only to suffer a compromise to one of their valued business services, I would be an extremely wealthy person.
Baselining you business
Recently the Centre for Internet Security (CIS) has reviewed and updated their Critical Security Controls (CSCs) suite. As part of this review they have announced that in Version 8, the control set has been simplified and reduced to 18 domains (CIS 18 CSCs):
Now you might think that version 8 has just omitted 2 of the previous security controls because they have been downgraded.
However, if you were to compare the new version against the previous version, you will see a distinct difference in the prioritization of the control domains, e.g. Vulnerability Management has reduced in criticality from No. 3 to no. 7 and Data Protection has jumped from No. 13 to No. 3.
Version 8 continues with the tagging of the sub-controls to their implementation stages, which was introduced with version 7.1:
Green Dot = Implementation Group 1 - Applicable to all companies (small to large)
Orange Dot = Implementation Group 2 - Additional Controls for storing sensitive information
Blue Dot = Implementation Group 3 - Additional Controls for very sensitive information.
Version 8 is a far cry from my experiences of baselining a Saudi Space Program with the Basic controls from the CIS 20 CSCs - version 5, which was later to have been reported to reduce the risk of cyber attacks by 85%.
Slow your horses there Cowboys/Cowgirls
Okay, now that you've seen some of the detail of the evolution of the CIS 20 CSCs, I'm sure that you're wanting to rush out there and start implementing these 18 critical security controls.
Are you looking at the bigger picture?
It may seem very appealing to applying these simplified security controls against your business but to make this a manageable endeavor, you need to ask yourself some questions, e.g.
What are the perceived business risks?
Will this be proportionate to the perceived risks?
Do you understand what is important to the business stakeholders?
Is this appropriate for all the business services/operations?
Are there more valuable business services/operations?
What are the most important business services?
Should this be applied against a priority of business services?
Can I 'slice n dice' the business, against the business' priorities?
How can I demonstrate a return on investment to the business stakeholders?
Start by identifying and prioritizing your business services/operations against your business's Mission Statement/Objectives. Priority 1 being those business services/operations that are identified as being the most valuable/critical to the Mission Statement/Objectives.
Once you have a prioritized list of business services, begin quantifying the risks to these business services/operations and estimate the costs of implementing (Group 1, 2 & 3) the CIS 18 CSCs against each of these business services. Your break-even point is when the costs of implementation are within an acceptable range of the predicted risk reduction.
Is it feasible to implement all 18 domains and the full suite of the 153 security controls at an estimated annual cost of £1 million, when the perceived maximum quantified risk to the business is estimated at between £1 million to £2 million?
Despite the risk being perceived as being greater than the estimated costs, does this represent value to the business?
Is this aligned with your Business Key Stakeholders' risk appetite levels?
Where there are services that have regulatory obligations (e.g. PCI DSS, GDPR, CCPA, etc.), you may wish to consider using the common controls across numerous high-value business services/operations.
When planning your internal audit activities for compliance requirements, consider the benefits of aligning the principles for the CIS 18 CSCs to improve your internal audit program, so that the security control evaluations are prioritized based upon the perceived criticality of the security controls, e.g.
PCI DSS Priority 1:
Scope & Maintain an Asset Inventory (2.4)
CIS 1.1 Establish and Maintain Detailed Enterprise Asset Inventory.
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM-type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under the control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.
Check for Rogue Devices (11.1)
CIS 1.2 Address Unauthorized Assets.
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset.
The evolution of the CIS 18 CSCs should be seen as a positive thing and something that could be extremely beneficial for organizations that are looking to identify which security controls are the most important. However, these security controls represent different colors and shapes of the lego pieces (a great analogy of Sandy's) but you still need to understand the type of lego model that you are trying to build.
Are you looking to build a model of an Aston Martin motor car or is it a Death Star?
The number of 'lego pieces' and the amount of time and effort needed to build your security model needs to be proportionate to the perceived value of the business service/operations.