Skip to content ↓ | Skip to navigation ↓

I was inspired by my fellow blogger Irfahn Khimji after reading his latest article, “The Sea of Information Security”, to write a post on information security hierarchy of needs. Dave Shackleford wrote on this topic back in 2009, so I thought it would be good to re-energize the discussion.

As you recall from the Psychology 101 Class you took in college, Maslow’s Hierarchy of Needs framework suggests that individuals are concerned with layers of needs, making us interested in moving up a layer only after the most basic needs are met.

I would like to think that for information security we have a similar way of rationalizing our investments. Unfortunately, I see many security professionals getting in the latest bandwagon of security “sexiness.”

For example, a few weeks ago I attended Gartner’s Security & Risk Management Summit in DC where I got the opportunity to talk to many analysts. One of them said to me:

“I get many organizations asking me about what is the best solution for threat intelligence. However, when I ask them about whether they have hardened systems and how often they scan for vulnerabilities, it’s clear to me that they’re not ready for the advanced solutions.”

If we were to assess the most important elements of security, what would be some of the most critical capabilities? I have talked to many security professionals that are implementing the 20 Critical Security Controls from the Council on Cyber Security (formerly known as SANS Top 20) as a framework for their internal security policies. Here are the controls, prioritized in order of severity.

I decided to map these Top 20 controls into an information security hierarchy of needs. If we take Maslow’s approach, we should be prioritizing our efforts based on the severity of the attacks and the controls that would provide the strongest protection to our organization.

I recently heard Jane Holl Lute, President and CEO of the Council on Cyber Security, mention that eighty percent of known attacks could be prevented by implementing these 20 critical controls. However, by the results shown in many reports like the Verizon Data Breach Investigations Report, we know that most organizations may not be putting in place those basic yet critical controls. In reality, the hierarchy of needs for some organizations looks more like this:


There are many factors that come into play when creating your your own organization’s hierarchy of needs – what attack vectors you’re more susceptible to, the risk appetite of your executive team, industry benchmark information, the maturity of your security organization, etc.

gaEarlier this year, Gartner also released a research note called Designing an Adaptive Security Architecture for Protection From Advanced Attacks.” The critical capabilities for adaptive security are predictive preventive, detective and responsive in nature. I find this graph very helpful to assess your own preparedness for being resilient to attacks.

Rick Holland, principal analyst at Forrester covering security and risk recently released a two part report on the Targeted-Attack Hierarchy of Needs. His research note goes beyond just the controls and is a very good read. Download it if you’re a Forrester client.

I’m really interested in finding out how you prioritize your security resources, both organizational and financial, to cope with advanced threats. What frameworks do you use to successfully align your efforts and communicate the impact that your team is having to your organization?

Hasta pronto,



Related Articles:


The Executive’s Guide to the Top 20 Critical Security Controls

picTripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Images courtesy of ShutterStock