As a cybersecurity practitioner, I admit to frequently being overwhelmed by the number and scope of security tools and capabilities that exist in the marketplace. This is indicative of the incredible breadth of topics that a ‘complete’ cybersecurity and privacy program embodies.
For instance, if you look at the long list of capabilities a security practitioner is supposed to have according to ISC2’s CISSP domains, or the security requirements instantiated in industry best practice documents like NIST’s SP 800-53 you get a long list of incredibly diverse must-have security capabilities, including:
- Security Engineering and Architecture
- Security Policy Framework
- Network Security
- Asset Security
- Identity and Access Management
- Audit, Compliance, Assessment and Testing
- Security Operations and Continuous Monitoring
- Secure Application Development
- Security Training
- Configuration Management
- Incident Response
- Contingency and Disaster Planning
- Physical Security
- Acquisition, and
- Third Party Risk Management.
To make matters worse, each item on the list unfolds into hundreds if not thousands of discrete security topics and requirements. I’ve heard it said that security is a mile wide and an inch deep, though our leading security guidance suggests otherwise. Properly done, cybersecurity is a mile wide and many miles deep.
Transitioning to the Openly Secure World
As late as seven years ago, I remember hearing CISOs and CIOs refusing to share security information with their industry Information Sharing Analysis Centers (ISACs). They claimed that their security information was proprietary, and they held it as dear as any other information that provided them a competitive advantage over their rivals. Presently this sentiment seems to be an extreme exception. ISACs are now ubiquitously considered key providers of threat and event information, and many organizations openly participate in information exchanges.
I believe the success of industry ISACs is indicative of a greater acceptance of the security community that collaboration is cheaper and more effective means of security than the alternative. I hope the transition in the attitudes around sharing information risk can be extended to other aspects of cybersecurity, particularly around the labor-intensive security domains like operations and continuous monitoring, network security, as well as third-party cyber risk. After all, if organizations have already accepted sharing critically important security event information with partners, what is holding them back from participating more openly in the security community?
There is a lot to be gained by working openly and collaboratively in the cybersecurity space. How much more effective could we be if we could, with many other organizations, subscribe to security services that shared lessons learned across many organizations? How much more effective could we be by pulling resources to block threats, not from just our ecosystem, but from large swathes of the internet? These, I feel are questions we should focus on if we want to protect not only our own boundaries, but the economies and ecosystems of our nations, and the availability and openness of cyberspace for everyone.
The Open Operations Vision
In the security operations environment, it is common for organizations to set up Security Operations Centers (SOCs). SOCs deploy sensors and other technologies throughout an organization’s environment that allow an organization’s security personnel to centrally identify, manage, and respond to security events and misconfigurations. While SOCs greatly increase organizational security, they also increase organization expense by the same measure. Typically, the human cost of a SOC is among the greatest expenses, and while automation promises to reduce the human cost of a SOC, the automation technology is also very expensive.
By their nature, SOCs are built to manage massively dispersed technology on a global scale. There is very little overhead based on distance of assets. If organizations were to consolidate security operations into centralized SOCs, maybe based upon similar technologies or similar industries, they could achieve great economies of scale and save a massive amount of money in the management of security events. Organizations could then focus their time on security engineering and standardizing security configurations that give them a ton of bang for their buck in comparison to paying for in house security operations.
The Open Ecosystem Vision
With the advent of cloud computing, and the embrace of multi-cloud environments, the boundaries between organizations has never been so nebulous. For most organizations the digital business environment is hyper-collaborative. Digital sales means organizations can greatly expand their digital business environment almost instantly. While there is a significant amount of information available about the business services a new cloud enabled platform can bring, there is often very little actual information about the security and privacy risks a service may introduce to the organizations’ digital environment.
Organizations need better ecosystem vision throughout the business system lifecycle, from acquisition to disposal. By participating in networked cyber information exchanges, like the CyberGRX Exchange, organizations can more effectively get instant reads on the risk of adding a particular digital service.
The more collaborative cyber risk exchanges are, the better the analysis of security data of the Exchange can be. For instance, threat intelligence, cross-referenced with cyber-attack kill chain analysis and data regarding the security dispositions of you or your vendors can yield timely and actionable insight that could help your organization and your vendors avoid breaches.
I think there is no single tool or security concept that will have a greater impact on the overall cyber landscape than that of collaboration. I believe that the economies of scale achieved through open security collaboration have the power to revolutionize the way organization do cybersecurity and privacy.