Not long ago I was asked a simple question that has a tough answer. The question was “what is cyber?” And usually when you see that kind of question the buzz words, terms and descriptions popular today typically come to mind such as the “Internet of Things,” the “culture of computers” or the simple one “cyber = computing.”
In this instance, I decided to part ways with that kind of thinking and this was my answer: “Cyber” really means data, and data can be a force multiplier, can improve productivity, provide a brand new revenue stream or a combination of all of that.
However, and just as important can also produce quite a large amount of harm which translates into liability. That liability can be in many forms but typically consists of liability to your:
- Share Price
- Consumer Protection
- Regulatory Posture
- Intellectual Property
- Business Resilience
- Speed to Market
Any organization that houses data with a value tied to it needs to understand that potential harm and plan for it. Sadly few organizations know how to do it or even that they need to do it at all. This is where you have the intersection between and many times the confusion over who is responsible and accountable to protect what is listed above.
Regardless of the role that gets the fun and joy of protecting the data it all boils down to one potential key algorithm:
Digital Harm = Data Value x Data Footprint + Liability Potential x Exposure
These are terms we should all recognize but do not do implement well as a community, but is the basis for what we do i.e. Boundary Defense, Behavioral and Signature Based Detection, Change Management, Backup and Restoration, node Hardening and Patching etc. We do all of these things to protect our environment to causing digital harm and do it blindly.
The key issue here is how much potential “Digital Harm” does a system of record contain which then influences how much effort (which translates into cost) you expend in deploying countermeasures?
Data and information governance should be a large influence on your cyber security program. I personally like the Gartner definition of what this is:
“The specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”
Make note that Gartner specifically calls out that it is a “decision right and accountability framework,” but what about the operational side? How do you translate this into action? Well it’s a really long path to go down and a large amount of work but I have summed it up in the following graphic:
When you look at the graphic make note of some guiding principles:
- You don’t know what you don’t know
- The best way to secure data is to get rid of it
- Value depends on the business process it supports , work with your business partners
- If you like to use the term “Cyber Warfare” you’re doing it wrong, the business is concerned about liability and harm
- Being able to map back business value relative to digital harm should give leadership a clear picture of what you are doing with your budget and the value it brings
- Once you have tagged and bagged, cuffed and stuffed your data migrate it to authoritative systems of record and then wrap around your countermeasures there.
- Its quite possible that CISO John Powers figured this out a long time ago
Remember “ Cyber” means Data and everything else are just tools that help facilitate its manipulation and consumption so a wise CISO starts at the source.
About the Author: Adam Meyer is currently the Chief Information Security Officer for one of the largest public transportation systems in the United States. Before serving in his current position Adam served as the Director of Information Assurance/Cyber Security for the Naval Air Warfare Center, Naval Air Systems Command. Prior to focusing on the Cyber Security discipline, Adam has served in positions supporting Network Engineering & Operations, Enterprise Architecture & Configuration Management, Emergency Power and Systems Engineering for organizations such as White House Communications, Army Pentagon, Joint Interoperability Test Command (JITC) and the Intelligence Community. Adam also provides specialized training and consulting services as the President of CyberWise Advantage Inc. in the areas of Business Resiliency, Data Governance, Risk Management and Systems Security Engineering with an additional focus on Cyber Security issues for small and medium sized business.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- The Cyber Security Framework and the Case for Platform IT
- Dealing With Unrealistic Security Expectations from the Executive Office
- Do You Care About Due Care?
- The Role of Security in Creating a Standard of Due Care
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock