I’m often asked why I run a team entirely dedicated to researching, developing and implementing various program frameworks – when so many security organizations get by just fine without them. However, the phrase “get by just fine without them” is part of the answer. The challenge with helping security leaders and professionals understand why what they’re doing requires a model to follow when there are few visible consequences to simply winging it.
First, let us acknowledge that information security is a relatively new discipline that is probably just under thirty years old. Compared to the rest of IT and other things non-computer related the industry is still in its infancy. As the profession matures though, effective leaders are sharing the successes and struggles they face and developing patterns for others to follow. These patterns move from word of mouth and tribal knowledge to formal, industry-supported frameworks.
Security frameworks are designed to provide a reference for those designing various programmatic security mechanisms in order to make sure we benefit from collective successes and failures of the broad community.
Developing a framework is a lot like asking a collection of your thousand closest friends (Fortune 1,000 companies) to agree on ordering a pizza. At the point where you’re developing a model or framework that’s meant to provide broad assistance, you’re not trying to find commonalities so that everyone is happy. You’re instead trying to define a framework which makes the least amount of people completely grumpy. Think about if you were put in charge of setting up a race. Just about everyone will agree that you’d need a start and a finish, but everything in between is up for debate.
So, let’s look at why I believe frameworks are the answer to many of the problems plaguing security organizations. The two major challenges I believe are repeatability and benchmarking. Security organizations struggle to repeat the successes of their contemporaries and peers – especially since every enterprise feels like a special snowflake. Benchmarking is something our industry is waking up to as board executives start to compare notes across enterprises in which they participate.
Think about building a cyber threat intelligence (CTI) program at a Fortune 1,000 company. How do you design a program that can be effective at your financial services company while leveraging lessons learned and successes your peers have experienced at healthcare companies? Additionally, how do we avoid being product-driven and create programs that can have interchangeable parts? The answer: implement a cyber threat intelligence framework that dictates the core functional pieces that every CTI program needs (what) while leaving the details to individual use cases (how). This creates flexibility while simultaneously holding standards and allowing for comparisons (benchmarking) across various market verticals.
A model that starts with outcomes allows you to understand the goals you’re building towards, which addresses effectiveness. You can achieve outcomes through building a set of capabilities across a defined model of functional, core and elements. These capabilities are built through a set of activities which require resources (people, processes, technologies) to operate.
If your desired outcome is to beat Nico Rosberg’s world championship Formula One team, you’re going to need a framework. You already have your desired outcome, so now let’s get the functional elements, or building blocks.
The basic building blocks are tires, engine, car, mechanics, engineers, owners, media relations and a million other components. Next, you can take your building block—mechanics, for example—and ensure they have the capability to change four tires in under 2.8 seconds. In order to develop that capability, you’ll need at least 12 mechanics, tires, air tools and so on. These are your resources. Last but certainly not least, you’ll need to figure out how to measure whether you’ve been successful at beating Nico Rosberg’s AMG Petronas racing team.
In the real world, measurements appear simple—in this case, track lap times. But in the digital program development world there are many iterations of potential measurements, and few of them are expressive and repeatable enough to be business relevant.
So, how do you build an effective CTI program? Start by determining what you want your outcomes to be. From there, you can take the functional building blocks and figure out what capabilities you need to develop to support your outcomes. Then, draft up the activities and resources you’ll require to build up those capabilities. Last, figure out how to measure it all. It’s as simple as that.
Except it’s not. My team spends thousands of hours studying companies and how they operate, and then builds models from this carefully observed and analyzed data. I encourage you to find a framework that fits your organization’s program requirements, business profile and specific needs. Find a framework, adopt it and stick to it. The framework you start on today may be the way you justify budget requests, additional headcount or a promotion tomorrow.