In the usual scenario, companies are more reactive than proactive with regard to security. Due to the perception that IT, which includes cybersecurity, is a cost center, procuring technologies may not be appealing to management unless a security incident occurs.  In Lesson 6, we discussed the value of the CISO to help align the company’s strategy and the necessary controls in place to ensure protection.

Coming from a technical security background, you would like to have the best tools and software available. But remember, the management sees it as a cost without seeing the return on investment since it’s for internal use.  The inconvenient truth list below will make the technical security personnel understand why sometimes (or maybe most of the time), the tools that we want are not approved.

The Cybersecurity Inconvenient Truths

• You cannot protect everything from everyone.

If we will list down all potential threats that an organization can face, it will be a very long one. DDoS, Malware, incompetence resulting in loss of data, ransomware, corporate spies, etc. Since the list of threats is very long, it means that there’s a lot of security controls that we have to put in place. Unfortunately, we don’t have everything to prevent or mitigate all these threats.

• There are not enough resources and money in the world to totally mitigate all risks.

Corollary to the discussion regarding the management’s perception of IT/Cybersecurity, the budget for the team is limited. So if resources are limited, we can only do what we can within the budget. And that leads to the next inconvenient truth.

• Focus on protecting the most important information first, that which must be protected, and that with the highest risk.

Since we cannot protect everything and we have limited budget, the goal is to prioritize which threats have the highest risk with high severity. In that way, you are able to cover the majority of the security incidents in the organization.

This activity of prioritizing the controls based on the risk-rating is called Risk Assessment. We will have another discussion about it in another lesson.

Security Services and Security Mechanisms

To properly align the organization’s strategy and the cybersecurity team’s goals, we have to define the security services and mechanisms. Security services reflect on how the organization’s objectives are manifested. Security mechanisms, on the other hand, are the specific solutions that we can implement in the organization.

See example below:

We conduct risk assessment first before we can come up with the Security Services and Mechanisms.

• Goal: The organization wants to focus on physical security
• Security Services: (1)Personnel security; (2) Access control
• Security Mechanisms: (1) Security clearance, training, rules of behavior; (2) Biometrics, proximity card, mantraps;

What industry do you think will have this type of security goal?

It can probably be a bank or law enforcement (government) office.

It is important to determine the organization’s security services and mechanisms so that the cybersecurity team will also have a level of expectation on the types of controls and tasks that they will be doing.

So the next time you think about a cybersecurity project, you have to revisit again the defined security services and mechanisms of the team and see if they are aligned with each other. Otherwise, you will have to let it go so you won’t waste your time and effort.