Over my two-decade career as a cybersecurity practitioner and CISO, I have constantly asked myself, “Why is security broken?”
By broken, I mean that most organizations, commercial or public, don’t have the right level of cyber resilience. When we think about the definition of ‘cyber resilience,’ we tend to think about detection and response capabilities to withstand and recover from cyber attacks, such that we can continue to operate the business and deliver the intended business outcomes.
But there is another side to cyber resilience – the company’s level of preparedness. Making a digital organization more cyber resilient is not very different from keeping a person healthy (i.e. illness resilient), conceptually. It’s all the things we have to do to be healthier, so that if we do get sick, we can recover faster.
While I don’t think there is a single reason for it being broken or that a silver bullet solution exists, I believe cyber resilience boils down to two things:
- We don’t understand ourselves very well. Modern organizations have become so complex, so fast. Even a mid-size/small organization with less than 200 employees could be using 100+ different technologies and be responsible for almost 400k cyber assets. This is not just about the visibility that many technology solutions claim they help with; rather, it’s a deeper understanding across the entire digital infrastructure and cyber operations. Knowledge is the foundation to improve our cyber resilience readiness. If we don’t understand ourselves, it’s hard to be proactive, and hard to recover faster.
- We don’t engage teams outside of security very well. Security has been viewed as a technical function, and perhaps worse, a policing/enforcing function (think auditing, blocking, monitoring). While that is certainly part of it, security should be an enabling function, a wellness and coaching function to the entire organization. Security is everyone’s responsibility. Collaboration is the critical step to increase our speed and readiness to cyber resilience. We know what, we just don’t have a good job practicing it – some of which is a result of technological challenges.
And guess what? All of the ‘challenges’ security teams face – noise and alert fatigue, cyber skills shortage, “we don’t have enough people,” “you can't fix stupid,” etc. – they stem from the two deeper root causes I mentioned above: knowledge and collaboration.
The path to better understanding ourselves
I’ve been asking my team these five questions when I run my security program. If we answer these well, we pretty much have a well-functioning security program.
These aren’t the 12 questions I mention in the title of this article; I’ll get to those shortly. These form the foundation for tackling our large, complex security challenges and build up to the more detailed questions you should be able to answer.
- What do I have?
- Which assets are the most important?
- Who owns them?
- Do they have a problem?
- Are we compliant and getting better over time?
Is this really that simple? Just these five questions? Yeah, actually it kinda is. If we insert the type of asset that the security team is responsible for protecting, and expand that out, we are essentially covering all the bases.
Let’s unpack those a bit more.
#1 What do I have?
You can’t protect what you can’t see. Naturally, we have to start here. It’s no wonder why standards and best practices like the NIST CSF and CIS Critical Controls all start with asset inventory. Yet most organizations are still stuck on answering this first question well, at scale. This is not because they don’t understand the importance of it, but rather because of the sheer complexity, volume, and volatility of today’s modern cyber infrastructure.
#2 Which assets are the most important?
Even with continuous, automated, and centralized asset inventory, we still face the challenge of not knowing which assets we should focus on. Is a critical vulnerability finding on Device A more significant than the same finding on Device B? Without the answers to questions like that, we won’t be able to prioritize across the thousands, and sometimes millions, of work items that seem to never reduce in number.
Determining asset criticality is more than just tagging a resource with classification. More often than not, the business context that determines if an asset or a resource is critical resides in the head of a domain expert team member or on a piece of paper somewhere. We need the ability to “codify the business context” so that we can apply that context systematically and continuously on top of the centralized asset inventory to determine which ones are the most important. This context is knowledge.
#3 Who owns them?
Asset ownership identification is another challenging task. Even if we had perfect ownership assignment across all resources at one point – which we did not – people change roles, people join/leave the organization, resources change, everything becomes software-defined, business grows, M&A happens, and everything gets more complex.
It seems impossible to get ahead of this, so we resort to a series of Zoom calls and Slack messages ad hoc when shit hits the fan. Security teams throw things over the fence to their counterparts in IT, engineering, or business teams because more than often security teams are only responsible for identifying the problems, not fixing them. An unowned asset in your infrastructure is a critical vulnerability – it is what adversaries are trying to create: infrastructure they own.
#4 Do they have a problem?
A problem with an asset can range from a vulnerability, a misconfiguration, or a lack of control coverage to an active incident. A problem can occur on any asset, from devices to data, workloads, applications, code, or even users – e.g. an application with a scanner finding can be a problem, encrypted confidential data can be a problem, a server or workload without protection can be a problem, and an employee who did not complete the required security or compliance training can be a problem.
Herein lies the problem with the current practice of most security teams (no pun intended). We jump in right here to question #4! Let’s scan this! Let’s block that! These questions are sequenced as such for a reason. Having a finding does not always mean there is a problem. Additional context determines if it is a true problem (question #2). Knowing who can fix it provides a targeted notification (question #3). Combined, we can expect a much faster remediation than the current practices.
If I know which assets are the most important, I can focus on the problems associated with those assets first, rather than focusing on the thousands and millions of ‘high’ or ‘critical’ findings that span across all of my assets, most of which are not critical. If I know ahead of time who the asset owners are, when a problem occurs, I can go immediately to the asset owner, provide the context as to why it is important (as established by answering question #2), and work with them to fix the problem as quickly as possible. Knowledge and collaboration.
#5 Are we compliant and getting better over time?
This one should be pretty self-explanatory. We need to be compliant. Not just for auditors and checking the boxes, but continuously. Nobody starts off perfect. In fact, the cybersecurity functions in most organizations are still pretty messy. By continuously improving over time, we make our organization a more difficult target for adversaries and, therefore, more cyber resilient. After all, cybersecurity is not in the business to eliminate risk, but to manage and reduce it.
The path to success is not a straight line (or a single line)
Unfortunately, these ‘simple’ questions can get very complex, very quickly. Plugging in the different infrastructures and different security controls an organization may have, we suddenly end up with hundreds of questions across a spaghetti of connections that are too overwhelming to handle.
Imagine your entire digital operations and cyber infrastructure fully mapped out and connected with context. Imagine you can easily search for anything (like Google Search) and ask any question (like ChatGPT) across your entire cyber footprint. Imagine being able to navigate from one point to another, zoom in/out to understand blast radius (like Google Maps). All from one place.
12 questions to achieve unified cyber insights and improve cyber resilience
We started with some foundational questions, but they are broad and abstract. We can expand extensively on these to hundreds of questions – all of which we can and should ask operationally and continuously.
That’s a lot of questions. If you’re a practitioner or frontline manager, what should you tell your CISO? If you’re the CISO, what should you show the CEO and the board? They won’t have the time or the patience to digest the answers to hundreds of questions. Where can you possibly begin?
Here are my top 12 questions to focus on. Realistically, the last four are probably all that the CEO and Board care mostly about, but you’ll need to answer the first eight to get to the final four:
(A) Assets and Data
- What critical assets (data/workloads/applications/code/devices) do I have?
- Who owns them?
- Who has access to them?
- Do they have a problem (misconfigurations, vulnerabilities, incidents)?
(B) Users and Access
- Who are the critical users?
- What access do they have?
- Is there anyone who left but still has access?
- Is there any third party with critical access?
(C) Controls and Risks
- Do we have the right security controls in place to protect the critical assets/data/users?
- What are the gaps, coverage, and status (changes) of the existing controls?
- What is the overall risk posture?
- Are we compliant and getting better over time?
Knowing the answers to the above will not only make it harder to ‘get sick’ but also will help your organization recover faster if you do.
Answering these questions effectively and efficiently requires us to rethink our current approach to cybersecurity. Instead of repeating the same things we have been doing for years and letting the security tech debt continue accumulating, we must think about how we invest in making tomorrow better in parallel to reacting to today’s pains. Otherwise, we will never break through this vicious cycle of more vulnerabilities year over year.
Answering these questions empowers the security team to go from the department of ‘no’ to the “department of ‘know.’ Security should be, and can be, the business enabler. Security should, and can, help the business change the world.
Answers to these questions are cyber insights. Unified cyber insights provide a clearer path to better cyber resilience. And that’s why we’re here, because we believe every organization will be better with the power of unified cyber insights.
Just Ask J1!