To support a cyber security strategy it is necessary to conduct a business assessment and evaluation of the organisation’s current state. The breadth and depth of this assessment will again be in proportion to the proposed scope and vision of the strategy. The criteria for an assessment should again reflect the scope but in general the assessment should aim to cover:
Geography and locations
Business services and operations
Legal or regulatory requirements per geography
Current business strategies per geography
Current risk and threats
Current security capabilities
Current service management and supplier management
The list above is not exhaustive and there may be other specific areas that are beneficial to the strategy but the list above should cover enough to gain a good understanding of the current or AsIs position. The assessment is basically the beginning of the necessary gap analysis required to qualify the strategy, transformation and determine its success. There are a number of different ways to conduct a business assessment and enable the gaps to be identified. These include diagrammatic means such as building block diagrams and use case models or through spreadsheet matrices.
Once the business assessment has been completed and sufficient information has been gathered to form a good understanding of the organisation and its scope of operations, an assessment of the likely threat to these finding can begin. Your security operations should have a security incident classification within the organisation incident management domain which can be used to define threats. This classification or taxonomy of threat types should be used to help produce an initial threat assessment based upon a breakdown of what a threat means and how it manifests. There are a number of useful threat classification model available including those from:
The type of information that is also required if it can be obtained is the following:
Security incident reports
Impact on business/services
Root cause conclusions
Repeated incident types
A Threat Assessment is built up with the following activities and output:
Define threat types facing organisation and order by severity
Define threat profile for each threat type – including threat actor, motive, FOI or target asset
Define threat scenarios to challenge the organisation and its vulnerabilities
Once you have completed the business and threat assessment and the have an understanding of the current state and operations within the organisation, its vulnerabilities and threats you can conduct a risk assessment. Your risk assessment should follow your organisation risk method or select FAIR or OCTAVE as a means to determine the risk “appetite” or tolerance towards the threat. This tolerance and assessment will influence further assessment types, gap analysis and areas for transformation.
All strategies should start with a vision set out either by a necessity or visionary inspiration. Whether the trigger behind the vision is based upon a new senior role, restructuring, repositioning or survival the vision needs to be qualified through the drivers, goals, objectives and any opposing aspects such as issues, constraints or concerns. A vision needs balance and cross examination before it moves to any further formality. A cyber security strategy is no different however it has one further aspect to challenge it and that is the threat which is faced. That threat needs to be broken down into its many parts and actors to fully understand the magnitude, diversity and expertise behind it. A threat assessment needs to cover enough to meet the size and scale of the vision and is also there to make sure that the drivers and goals set out the right means to mitigate and manage the threat in the future, as that will generally unknown until some event or evidence appears to define it.
To compliment the threat assessment it is also necessary to conduct more general business assessments of capability, architecture and operations to build an up to date view of what, where and how the organisation is functioning. The larger the organisation the bigger the assessment view will be and the level of detail is questionable as that will depend upon resources and budget available. The business assessment should be in proportion to the size and scale of the strategy and vision. There are also a number of general standards and practices in an organisation that either have produced or must produce assessments to meet legal or regulatory requirements and these should be a starting point.
A second important aspect of business design and modeling for a cyber security strategy is the extension capability within TOGAF metamodel and the extend feature of UML use cases. Both allow supplementary relationships to be built around the primary concepts and building blocks. This is very important as cyber security strategy development is unlike a normal business strategy. Yes there are many common features but due to the complexity and often unknown threat and risk, the strategy has to be designed to adapt and evolve where the risk and threat is greatest. So engineering the right capabilities is crucial to ensure people, process and technology coverage is sufficient. Too often the common mistake is to identify technologies up front before it is clear what is required and how they need to operate. Generally this is the reason why historically a lot of SIEM or security technology deployments have been so problematic. A SIEM and other security technologies are selected before the right business and operational capabilities are in place to govern and manage them correctly. On top of that many SIEMs have been deployed without the right due diligence and assessment of security controls or architecture and IT operations. If you don’t know the environment your SIEM is going to protect then it is unlikely you will know the right data architecture and data collection needed.
Over the next few articles i will explore each stage of a cyber security strategy and will begin with the most important part – the threat and risk assessment. Know your enemy, their motives and why they are targeting your organisation and at the same time get to know your organisation, its architecture and vulnerabilities. The AsIs and current operating model is fundamental before you begin to define your targets.