Building a Strong Cybersecurity Technology Program – 80/20 Prevails

How many of you have heard this? “We need a comprehensive, continuous improvement risk management program with clear goals, objectives, and expected outcomes. We need this yesterday, and we do not have any additional budget to support this. Oh, have a great day!”

This could be right out of a Dilbert cartoon, but the I find the request, the assessment of current operations for many companies accurate, and the budget demands a reality for most security professionals.

Related to the above, I am reviewing a phenomenal security operations training program developed by Larry Wilson (UMass CISO). As discussed in my previous post, the NIST Cybersecurity Framework (NCSF) Controls Factory Model (CFM) operationalizes the NIST CSF. Currently adopted by 13 universities, it is now becoming available to the commercial enterprise. Based on what I have seen so far, the Foundation and Practitioner programs will arm participants with the knowledge, skills, and abilities to meet the above management request. Moreover, this can be done in a relatively short time and at a reasonable cost.

Why Not Start Today?

Diving right in, as shown in the below figure, the Technology Program Design-Build function is the first step in the CFM’s Technology Center. Its goals are straightforward, prescriptive and pragmatic:

  1. Develop the capability to mitigate threats at every stage of the attack chain
  2. Automate security controls for each core NIST CSF Function: Identify, Protect, Detect, Respond, and Recover
  3. Configure cybersecurity tools to vendor specifications

Nonlinear Cybersecurity Control Management

The Technology Program Design-Build manages security control implementation and effectiveness. In contrast, the Engineering Center leads vulnerability and threat modeling and analysis. These are intentionally parallel processes: a radical departure from more linear risk management approaches of first determining vulnerabilities, threats, and the likelihood of attack, and then beginning control definition. In my view, this is a far more effective and efficient approach. Of course, not all controls are equal and willy-nilly jumping into controls can be wasteful. The NCSF CFM addresses this by focusing on the Center for Internet Security 20 Common Security Controls (CIS-20).

Surprisingly, Pareto Is Your Best Control Option 80% of the Time!

As I wrote in my last post, what excites me about the NCSF CFM is its elegant simplicity. For control selection, the CFM loosely follows the Pareto principle (80/20 rule) in multiple ways. First, as discussed in the training, implementing the CIS-20 can reduce risk by over 90%. Second, NIST 800-53 Rev 4.0 defines approximately 225 controls and 590 enhancements, so the CIS-20 (including 149 sub-controls) is about 20% of the over 800 potential touch points of NIST 800-53. Moreover, third, if we only implement 20% of the CIS-20 (controls 1-4), we can prevent over 80% of targeted cyber intrusions.

Based on the Technology Program Design-Build training (it goes into detail of all CIS-20 controls as part of the section), to address my hypothetical bosses request I am starting my security program by implementing the first six controls, summarized below:

In my next post, we move from Technology Program Design-Build to cybersecurity operations. In the meantime, please contact me if you have any questions about NCSF CFM. Also, please comment below. I would love to hear connections on the front line dealing with these challenges on a daily basis.