You are currently browsing the tag archive for the ‘cybersecurity’ tag.

I got to give about…half…of this presentation this week near Seattle. Obviously it’s missing a lot without the verbal presentation, but I think it’s a good one and maybe folks can get value out of the deck.


I just wrote-up the following for someone in the Communications Sector. It’s entirely stream-of-consciousness and un-edited, so forgive the language and grammar shoddiness, but as far as content goes, I think it sums up very well how I think of cybersecurity at an organizational (as opposed to industry/sector/national) level right now:

The vulnerabilities hackers exploit are created in the design, implementation, operation, or control of your business’s strategy, resource allocation, capability maturity, and value chain.  These vulnerabilities, created by your business decisions, allow hackers to repurpose your business and infrastructure – in part or entirely – to their own ends.

Therefore, cybersecurity can be said to be “The management of all business decisions made by your organization in a way which will inhibit malicious actors from using technology to repurpose your infrastructure or value chain for their own ends.”

While much of the focus on security has been on security specific controls and roles, those controls and roles only help to temporarily mitigate security problems.  True improvement in effectiveness and lowered costs will only come if the rest of the business manages decisions in a way that reduces the number of business and technological vulnerabilities that your security programs must account for.  These vulnerabilities can be introduced in typically “non-security” areas of your business such as product release timing, IT product selection, change management discipline, cross-team communication, business process design, policy compliance culture, service and product feature selection.

And, so, use of  security Frameworks such as the new NIST Voluntary framework, while important, only accounts for security control at one layer of several interdependent layers of control and will not, by itself, successfully protect your organization.  Business leadership priorities, business capability management, business process and IT architecture,  operations, education and culture management, and classic “cybersecurity” must be paid equal attention and be tightly integrated.

A tight integration of these areas will not only reduce the overall number of vulnerabilities being introduced that are exploitable by hackers, but will also allow the organization to more effectively identify and pivot toward defending against new threats and attack vectors.  Without this overall business maturity, no threat data will ever be actionable  because there is simply too much area for your security teams and programs to cover.  However, with the entire business working together to minimize exposure, your security team will be able to use threat based intelligence from external organizations to help them understand what gaps remain, mitigate those threats in the short term, and then inform business leadership of areas of vulnerability which might require longer term strategic organizational change to mitigate.

Ultimately, this should be seen as the development of two risk management life-cycles: One which looks at long term threats to your organization resulting from vulnerabilities created by organizational decision making, and another which focuses on short term tactical threats to your infrastructure. These two risk management life cycles can then inform each other without replacing each other.

In the longer term, business management lifecycle, typical “barriers” such as operational, market, consumer, technology and policy considerations should be considered “cybersecurity vulnerabilities” to be managed.  Metrics could include such measurements as “number of times a security control was pushed to a later release in order to accommodate product release commitments made by marketing.”  Security improvement initiatives could focus on changing organizational processes and decision making to the point where product release commitments and security control introduction were in conflict less often.

I got this yesterday!

You are invited to an event at the White House on Wednesday, February 12, at 1:00 p.m. for the release of the National Institute of Standards and Technology (NIST) voluntary Cybersecurity Framework.  This date marks the one year anniversary of Executive Order 13636, which tasked NIST to convene the private sector to develop this Framework.

We deeply appreciate your leadership in our shared efforts to improve critical infrastructure cybersecurity and would like to offer you the opportunity to attend this event.

Upon receipt of your RSVP, we will follow up with additional logistical information and specific arrival details.  This invitation is non-transferable. 

We hope that you will join us for this important event.

Thank you,

J. Michael Daniel

Special Assistant to the President & Cybersecurity Coordinator

National Security Council

The White House

Just wrote up a review/comments on the new 2013 NIPP released by DHS at the end of December for work. While the NIPP isn’t cybersecurity specific, it is still the policy environment in which non-regulatory critical infrastructure cyber security work happens. Some excerpts most pertinent to this blog are below, but you can (and should!) read the whole thing here:

“…the language used in the new NIPP implies a (positive) evolutionary shift in collective thinking…”
“…It seems like, some of the lessons from the EO and the Framework development process may have influenced the writing of this document…”
“…it does appear that the new NIPP will maintain support of existing public/private partnership mechanisms such as Sector Coordinating Councils (SCC), Government Coordinating Councils (GCC), Critical Infrastructure Protection Advisory Council (CIPAC), Information Sharing and Analysis Centers (ISAC)… Still, it is exceedingly good to see that these mechanisms will not be the *only* ways to partner.”
“…There are a number of stakeholders who, up to this point, have not been part of this dialogue and it would be valuable if they found a way in…The two that come immediately to mind are “The Public” and “Unaffiliated Security Subject Matter Experts (SME).” First, “The Public” is critical infrastructure – at least as customers of risk management – and currently, they have little voice here. Second, most smart hacker or security types, if they are involved at all, are filtered through the business and political realities of their parent organizations and their industry associations. It would be nice to find away to add those voices to the mix, if only to offer a reality check to things like the #NISTCSF.”
“…More serious than the Risk Management Lifecycle problem, however, is what appears to be a philosophical miss.  It is good that cyber and physical security should be more integrated. The change in tone and apparent improvement in flexibility is appreciated, and outcome goals are absolutely a minimum requirement for driving effective security initiatives. However, the new NIPP still doesn’t effectively deal with the overall immaturity of the cybersecurity discipline itself – particularly when compared to the physical space.  It feels like there is an assumption that someone knows the right answers and all we have to do is implement them, but that’s not true.  In fact, the entire problem space needs reframing away from how the security industry has defined it for us over the past 10 years into something with a business quality assurance baseline that is then supported by risk management…”
“The NIPP and related public/private partnership mechanisms could do with more methods for and focus on the definition of  successful cyber security paths forward to meeting collaborative outcome goals, rather than a focus on selecting and then implementing existing paths.”

Someone today asked me what I thought of this article:

My answer was short: Obvious? PCI doesn’t work. NERC CIP doesn’t work. NIST standards don’t work. Anyone who says or implies that these companies just needed to do more is lying, trying to sell you something, ignorant, or a combination. Security as we do it, in the context of IT as we do it, in the context of business as we do it does not reliably do what we want it to do.

I know one thinks we should continue to admire the problem – we need action! But what if we’ve entirely failed to correctly identify and articulate the problem?  :P

Someone else replied elsewhere with (regarding the standards/regs mentioned above):

“although they can be foundational for funding and building a good security program, they don’t work on their own.”

While that is true, a lot hinges on what “G.ood S.ecurity P.rogram” means. I’d argue that results from G.S.P.’s are regularly considered insufficient – i.e., Target *had* a Good Security Program and yet here we are.

Check it out here:

It’s basically a 6-page FAQ I put together introducing some of the main concepts involved in national critical infrastructure cyber security.  I wrote it because, sitting on a panel about CIKR tomorrow at B-Sides DC, I realized most normal security or hacker folks are probably completely unaware of the space!

Follow me on Twitter

My Art / Misc. Photo Stream