Skip to content ↓ | Skip to navigation ↓

I was inspired by my fellow blogger Irfahn Khimji after reading his latest article, “The Sea of Information Security”, to write a post on information security hierarchy of needs. Dave Shackleford wrote on this topic back in 2009, so I thought it would be good to re-energize the discussion.

As you recall from the Psychology 101 Class you took in college, Maslow’s Hierarchy of Needs framework suggests that individuals are concerned with layers of needs, making us interested in moving up a layer only after the most basic needs are met.

I would like to think that for information security we have a similar way of rationalizing our investments. Unfortunately, I see many security professionals getting in the latest bandwagon of security “sexiness.”

For example, a few weeks ago I attended Gartner’s Security & Risk Management Summit in DC where I got the opportunity to talk to many analysts. One of them said to me:

“I get many organizations asking me about what is the best solution for threat intelligence. However, when I ask them about whether they have hardened systems and how often they scan for vulnerabilities, it’s clear to me that they’re not ready for the advanced solutions.”

If we were to assess the most important elements of security, what would be some of the most critical capabilities? I have talked to many security professionals that are implementing the 20 Critical Security Controls from the Council on Cyber Security (formerly known as SANS Top 20) as a framework for their internal security policies. Here are the controls, prioritized in order of severity.

Screen Shot 2014-07-29 at 11.55.18 AM

I decided to map these Top 20 controls into an information security hierarchy of needs. If we take Maslow’s approach, we should be prioritizing our efforts based on the severity of the attacks and the controls that would provide the strongest protection to our organization.


I recently heard Jane Holl Lute, President and CEO of the Council on Cyber Security, mention that eighty percent of known attacks could be prevented by implementing these 20 critical controls. However, by the results shown in many reports like the Verizon Data Breach Investigations Report, we know that most organizations may not be putting in place those basic yet critical controls. In reality, the hierarchy of needs for some organizations looks more like this:


There are many factors that come into play when creating your your own organization’s hierarchy of needs – what attack vectors you’re more susceptible to, the risk appetite of your executive team, industry benchmark information, the maturity of your security organization, etc.

gaEarlier this year, Gartner also released a research note called Designing an Adaptive Security Architecture for Protection From Advanced Attacks.” The critical capabilities for adaptive security are predictive preventive, detective and responsive in nature. I find this graph very helpful to assess your own preparedness for being resilient to attacks.

Rick Holland, principal analyst at Forrester covering security and risk recently released a two part report on the Targeted-Attack Hierarchy of Needs. His research note goes beyond just the controls and is a very good read. Download it if you’re a Forrester client.

I’m really interested in finding out how you prioritize your security resources, both organizational and financial, to cope with advanced threats. What frameworks do you use to successfully align your efforts and communicate the impact that your team is having to your organization?

Hasta pronto,



Related Articles:


picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.

The Executive’s Guide to the Top 20 Critical Security Controls

picTripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Images courtesy of ShutterStock

Tripwire CCM Express Free Trial
  • Ok, Cindy I'll try.

    From a SMB or small enterprises maybe more so perspective (and maybe start-ups will be somewhat covered as well) I think the most important is to establish some kind of "minimum viable security". Parts of my thinking here is influenced by Ken Westins post about how for start-ups a minimum viable product shouldnt mean "minimum security" -> this is where I deduced "minimum viable security".

    The reality I'm seeing here in Europe for say, companies <30 employees is often 1-2 FTE headcounts for IT and this includes anything to do with security. Or an outsourced solution where security is "managed" and managed here does not mean managed well. I see a lot of IT departments (again, sometimes just 1 guy) struggling to stay alive and with absolutely no time for security and also 0 knowledge about this. Something like DEFCON or BLACKHAT can be as far away from these people as a Coca Cola is for an Astronaut.

    So forget about 1&2. Also forget about 3 and 4, there's no time, no knowledge and no budget.
    For small businesses I'd say:

    -Establish some kind of cloud/SaaS monitoring and alerting solution (Cloud-Wall) to the extent you're using these
    -If in-house IT – establish a Perimeter (the perimeter is NOT dead)
    – So ++ to points 11+13.

    -Protect endpoints with AV and EMET or similar (Invincea, Bromium, Malwarebytes, others) also servers -> So ++ to point 5

    That'd be my lowest-part-of-the-pyramid contents and I'd build from there. Maybe. Just thinking out loud here, trying to make sense since the world I often see differs so much from what the large multinationals see. I'd love to flesh out the concept with X others over time.

    • This is also a key reason we provided SecureScan free, so that SMB and smaller entities can leverage the tool to better understand where they are vulnerable. What we find is that it begins a conversation about security, opens minds as to what is vulnerable and gets them asking the right questions.

  • Claus,
    Your comment remind me of Wendy Nather's presentations on Living Below the Security Poverty Line. And as you mentioned, the hierarchy of needs or what you call "minimum viable security" is different per organization depending on the resources they have available. Even with limited resources, many security professionals tend to get attracted with the newest smartphone operated alarm systems and forget to lock their front door. Appreciate your thoughts.

  • Claus,

    You hit the nail on the head. This is precisely why attackers are targeting smaller organizations, simply because they are low hanging fruit and they can also serve as a conduit into larger organizations. This is why many larger businesses are requiring security audits of their business partners, be it their network if they will be sharing data or network access, or applications themselves if they will be purchasing a tool. This in many ways will start to force the SMB to take security into consideration as part of their business process, versus an inconvenience and if approached the right way can function as a competitive differentiator if they are proactive enough.

    Education and awareness is probably the most important thing a small business can do to mitigate security threats. It should be approached like tax law, ignorance is not an excuse and it should be part of the business process. Many times the smaller businesses simply don't take security into consideration because it is alien to them, they simply do not understand the risks, they think their OS is secure and trust the Apple's and Microsoft's, not realizing that is just one piece of the puzzle. When they realize that their website can be hacked, defaced and data easily stolen and the impact that can have not just on their business, but also their liability, people find security as a religion pretty quickly.

  • We applaud the SMB cyber support view and we designed a one-week "security operator / practitioner" level course, based on a Security+ cert.
    Agree that the 20 controls are worthy of having in any cyber hierarchy of needs, so are the NSA top 10 and Australia MoD's top 35 mitigations (first four alone cutting incidents by 85%!)… AND don’t forget the NIST “absolutely necessary” (and highly recommended) protections .. So that's how we structured our security needs triangle – start with what matters most… and that means resilience, the foundational items and doing the security basics well – After all lack of effective hygiene causes 90% of all security incidents, so do that up front.
    The business environment configuration must have a high protection profile with effective security monitoring, while not overly encumbering users; these activities entail:
    * Implement the standard cyber security suite of programs, which entails: anti-virus, firewall, VPN, IDS, and encryption (with key management) (note – only buy security programs off approved product lists, as they have a pedigree).
    * Manage, monitor and KNOW your IT/security baseline well – as you can’t manage what you don’t measure.
    (e.g., doing these few “management” activities cuts security incidents by at least 90% (a) effective program upgrade and patch management, (b) controlling network and data access (enforce least privilege), (c) application whitelisting / secure configurations, (d) keeping hardware and software inventories current, and (e) employing security continuous monitoring (SCM))
    * Secure backup is paramount, use multiple sources – all storage should be encrypted, with cloud security addressed in SLAs. In fact, encrypt all data at rest (storage) and in motion (external connections)!
    * Manage access to the company, both physical and virtual – Use strong passwords, changing periodically – consider a token/biometrics for sensitive data. Strictly limit privileged access.
    * Proactively manage business risk using your Risk Management Plan (RMP), complemented with an enforced security policy and cyber insurance.
    * Provide ongoing training and education on security threats and business risks, tailored to all key stakeholders. Stay current in sector threats and mitigations.
    * KNOW your security status / metrics – periodically, independently test and assess: the security suite, ongoing processes including back-ups, security policy enforcement, and all major elements in your RMP.

    My IEEE Cyber Security SIG did a cyber education outreach here in San Diego on this methods… See our cyber ED overview approach…
    +++ Be glad to engage others on the topic!

  • We are in agreement it seems :). Although minimum viable security is different from company to company -> this is true, I can't argue against it, a company offering a "minimum viable SMB security"-as-a-service and at a reasonable price would not only make companies safer but find an empty niche due to