The word “cybersecurity” is one of the most overused and abused terms in an era filled with hyperbole and linguistic torture. In the 90s, the word and prefix “cyber” held bad connotations around online sex and pornography more than anything else. Then again, in those days “hacker” didn’t necessarily refer to an attacker. Today “cyber” is used in much more polite conversation, but it’s still far too broad and far too overused, especially in government policy circles where “cybersecurity” is almost interchangeable with “security.” However, there is a critical way in which we might use “cybersecurity” that is both different and distinct from the rest of security in a meaningful and useful way. Before we dive into that, though, a short story is called for.
Many years ago, I visited a US Bank and was warmly greeted by a CISO who lorded over an impressive 652-person department, which he made a point of telling me twice before we reached the conference room. I was duly impressed and asked an obvious question, ‘What’s your overall strategy for using these people?” I learned he had “crowdsourced” all the things the department could work on and came up with a heat map of the hottest and most relevant areas. He then proceeded to show me a magnificent reference architecture.
It was at this point I had what I call my “patchwork quilt” moment because he produced an impressive Escher-style tessellation in the form of a map with 64 equally weighted shapes arrayed in a quilt-like spread of projects. What should have been his moment of glory instead came across clearly with one voice that screamed “I have no idea what I am doing. In fact no one here does and I only hope this huge image dazzles with science and keeps me from getting fired.”
It might not be obvious from this story, but I worked closely with this CISO who voraciously devoured new techniques and approaches and became one of the best I’ve known. It wasn’t for lack of hard work and intelligence that the patchwork quilt existed. The ideas and techniques of more advanced risk management and mitigation that I would go on over four different positions as CSO to learn, help develop and see for myself weren’t sitting in a desk reference guide or blog nearly two decades ago.
The most critical categorisation in security is between that which requires unique security skills for execution from that which doesn’t. The first category, a distinct form of cybersecurity, demands specific security skills and knowledge and experience, for instance, in active defenses and countering of real, live adversaries mounting operations against a company. The second category, IT security, requires security knowledge and insight to do properly, but doesn’t require distinctly security skills for execution.
This broad division serves a purpose in planning resources, processes and operations. Cybersecurity functions, such as SOC operation, incident response handling, active remediation and the like need security people with their hands on the keyboards doing the actions and getting better at the activities in real time. This means that team goals, training, processes, tools and even work spaces need to be organised in a manner that will promote accomplishing the clear mission of stopping malicious actors. These are activities that need triage, according to business context of course, along primary security lines in real-time.
Joint Academy raises $23m Series B
Contrast that with IT security functions, like the majority identity and access management project, vulnerability management, firewall policies, antivirus updates and well over 50 percent of SIEM functions which can largely be done by people who have basic security knowledge but are largely IT people managed in a different day-to-day and hour-to-hour manner. Of course, policies and oversight for both share a common DNA, common management functions, risk orientation and more. But this distinction helps us plan a course ahead and a way to never, ever have to stare at a patchwork quilt again.
To use a medical analogy: IT security is like the equipment, cleanliness, supplies and safety of the operating theatre while cybersecurity is like the doctors and nurses fighting in real time to keep the patient on the table alive. We have a host of people who can help with the former, but only the highly trained and evolving discipline of medicine is required in the second function. It’s the doctors and nurses that make the difference between an operating room and a morgue, and the same is true in security. It’s the analysts and expert teams that make the difference between a SOC and a NOC.
Combine this view of cybersecurity with risk-centrism, dialogues by management with the business and a strategy to move the bulk of IT security operations execution to IT; and the security department can become a finely tuned set of tools for mitigating IT risk. They also mark the difference between the good and the great, for we will succeed in our strategies not because of what we say “yes” to but rather because of what we say “no” to.