I have to ask this question after reading two recent papers. The first is from an organization that positions itself as not only an expert in cyber but one that offers related consulting services and solutions.
Practical Guide to Measuring Cyber Resiliency and Effectiveness was published by Lockheed Martin earlier this year.
The authors suggest a seven step process for establishing “an effective, sustainable computer network defense program”.
While the piece has some value, I have some major issues with it.
Let’s start with the fact that cyber is a business issue, not just an IT one. Yet, the only people on the recommended team are techies. In fact, they recommend a team of three “highly-skilled Technical Leads and Cyber Analysts with experience in Threat Monitoring, Incident Response, Cyber Threat Intelligence, Malware Analysis, and Computer Forensics, DevOps, Analytics, and general cybersecurity and IT skills”.
Nowhere is there any mention of the need to involve business personnel.
In my presentations and courses, I often talk about this hypothetical situation.
Imagine that we are in a conference room and hear a loud BANG from outside. We run to the window and see that a large safe has landed in the middle of the parking lot. Security guards rush to surround it. They string barbed wire around the safe, with bright lights and 24-hour monitors.
But then an executive appears and tells a guard to open the safe.
The executive looks around and spots a wicker basket against the fence, close to an exit from the lot.
He strolls over and sees the crown jewels wrapped in tissue paper in the basket.
The point is that you protect what needs to be protected.
You need to know what assets are at risk before setting up a cyber program or any other form of controls and security.
Yet, the paper does not mention any form of risk assessment.
The risk from cyber is not the technology or network; it is the effect on the achievement of a business objective.
I have additional issues with the paper.
- The analysis assumes that all attacks can be detected. This is a huge assumption and not credible in my view
- There is no mention of risks introduced by mobile or cloud applications and services
- There is no discussion of threats to the organization through attacks on the extended enterprise. Many organizations have outsourced services to a third party; those services may be at risk. In addition, many attacks are on our partners in the extended enterprise; once an intruder has gained access to a partner, they may be able to access our network and systems. Finally, many intruders are attacking employees’ personal devices and systems – and could gain access that way
- The issue of educating the organization to be security-conscious (such as avoiding clicking on links or attachments that introduce malware or using better passwords) is ignored. In fact, the use of non-simple passwords is totally absent.
I am afraid I find this paper quite lacking from a business perspective.
Now, perhaps all my points are discussed by this vendor in different publications – but that is not apparent from this piece.
The second paper is The Cyber Threat Risk – Oversight Guidance for CEOs and Boards. It has a foreword by Sameer Bhalotra, Former White House Senior Director for Cybersecurity, so I was expecting a better paper than the Lockheed Martin one – especially as it is targeted at CEOs and board members.
But, the same criticisms apply.
There is no business risk assessment, there is no mention of mobile or the cloud, a security-conscious culture is absent, and the extended enterprise is ignored.
It does have some better content, including:
- a description of the problem we face
- an emphasis on detection as well as prevention
- a discussion of mean-time-to-detect and mean-time-to- respond
Most of the techies I know understand all my concerns. But I have to ask when so-called cyber experts write and share papers like these.
I welcome your thoughts.