Risk Assessment – On Estimating Control Strength

In a previous blog post, I discussed qualitative, quantitative, and scoring methods of risk assessment. Irrespective of which method we use, estimating “control strength” is an important part of calculating overall risk (especially in qualitative and quantitative methods). To improve consistency and to decrease subjectivity in estimating control strength, I am providing some examples of how to estimate control strength in this article.

What is a Control and Control Strength?

A “control” is something that reduces the potential of a loss. Controls can be implemented in many forms. It could be a technical control (e.g. a firewall), a process control (e.g. change management process), an administrative control (e.g. a visitor log), or in some cases a person (like a security guard). 

Simply put, control strength is the ability of a control to stop/resist cyber attacks from threat actors, resist compromise and protect an asset’s confidentiality, availability and integrity.

Categorizing Control Strength

Control strength can be categorized in different levels. Using five levels for control strength is very common. Following is one way to describe these levels but there could be other ways to do so.

  1. Very High (VH) – The control will protect against top threats
  2. High (H) – The control will protect against majority of threats
  3. Moderate (M) – The control protects against average threats
  4. Low (L) – The control protects only very low .level attacks
  5. Very Low (VL) – The controls is not effective at all and would rarely protect against any threats

Having these categories at hand, a risk analyst can determine control strength during the process of risk analysis in a more consistent manner.

Estimating Control Strength

Risk analysts need to make an estimate about control strength during the risk assessment process. This estimate could be based upon data (which is difficult to acquire in the information security field) or it could be based upon experience and knowledge of the analyst. Following are some examples of how to estimate control strength in different scenarios. These could be used for education purposes.

Scenario 1 – Protecting data in a web application with help of user authentication and making it available to only authorized users.

Following can be one way of estimating control strength levels:

  1. Very High (VH) – A user has to use a combination of username and password along with two factor authentication. The password must be strong with a minimum length of 10 characters and a combination of alphabets, numbers and special characters. Passwords expire after a certain time forcing the user to change it. A user is notified via email when password change occurs.
  2. High (H) – A user has to use a combination of username and password. The password must be strong with a minimum length of 10 characters and a combination of alphabets, numbers and special characters. Passwords expire after a certain time forcing the user to change it. A user is notified via email when password change occurs.
  3. Moderate (M) – A user has to use a combination of username and password. The password must be strong with a minimum length of 10 characters and combination of alphabets, numbers and special characters.
  4. Low (L) – A user has to use a combination of username and password but is able to use a password of any length and no requirement of special characters.
  5. Very Low (VL) – No username and password is required. A user can get to data as long as the user has a specific URL.

Scenario 2 – Protect physical security of a data center

  1. Very High (VH) – Boundary wall with locked gates, presence of 24×7, surveillance cameras, security guard on duty, visitor log register, keycard access to datacenter room with biometric retina scan, camera inside the data center with face recognition technology that can identify unknown people.
  2. High (H) – Boundary wall with locked gates, presence of 24×7, surveillance cameras, security guard on duty, visitor log register, keycard access to datacenter room.
  3. Moderate (M) – Boundary wall with locked gates, security guard on duty, visitor log.
  4. Low (L) – Boundary wall with locked gates. Visitors with a key can enter the building.
  5. Very Low (VL) – Room inside a building with no locks.

Other Considerations 

Here are few other considerations while dealing with control strength estimation.

  • We don’t need all five levels of controls for each scenario. In some cases, we may have three or four levels of controls, e.g. Very High, Moderate, and Low.
  • The exact definition of each level of controls can vary from one organization to another but should comply with and be consistent with a single standard inside that organization.
  • The risk management leadership should train risk analysts on a continuous basis. The training should be about  how to measure control strength by walking them through new scenarios each time. An example could be a monthly open meeting to pick one scenario and explain rationale for control levels.

Subscribe to Blog

Recent Posts

Posted in Risk Management | Tagged | Comments Off on Risk Assessment – On Estimating Control Strength

Risk Assessment – Qualitative, Quantitative and Scoring

Information security community has been performing risk assessment for as long as the profession existed. The risk assessment is  typically classified as qualitative (e.g. Critical, High, Medium, Low) or quantitative (a dollar amount). Risk scoring is a relatively new phenomenon where a score (number) is assigned based upon available data and numerical calculations. Scoring system and method could be very different depending upon a particular method. For example, you may see scores between certain ranges in one system and scores without range in others.

Why is methodology important?

Business outcomes may be different depending upon which methodology we pick. Each method has its advantages and drawbacks.

  1. Qualitative methods usually incorporate some level of subjectivity based upon the risk assessor’s experience. However it could be done with relatively ease and at high speed, taking less time for completion.
  2. Quantitative risk assessment methods do involve more complicated math. Since large sets of data are not available, the risk assessors still make some assumptions in the inputs giving an impression of subjectivity. Implementing quantitative risk assessment “at scale” is difficult as it takes more time to perform.
  3. Risk scoring methods differ quite a bit in their implementations. Many vendors are not transparent about their underlying formulas used for scoring. However, methods exist to perform risk scoring based upon available data instead of assumptions. The main advantages are eliminating subjectivity and ability to perform risk scoring at scale.

A decent risk assessment methodology could be a combination of qualitative, quantitative and scoring methods.

What factors to consider?

When considering which risk assessment methodology to adopt, following are a few considerations.

  1. Staff experience in performing risk assessment.
  2. Speed at which risk assessment is needed.
  3. Tools available for risk assessment.
  4. Ability to collect data for risk scoring. The data may include vulnerability scanning, endpoint detection and response systems (EDR) data, penetration testing results, patch management data, asset management, coverage of security agents (or lack of it) and so on. The more data is available, the better the score.

My personal preference is to use risk scoring in combination of qualitative risk assessment performed in assessments like penetration testing.

Subscribe to my blog

Recent posts

Posted in InfoSec | Tagged , , | Comments Off on Risk Assessment – Qualitative, Quantitative and Scoring

Four Questions CISOs Should Ask Themselves Everyday

Four CISO Questions

While there is a huge list of CISO responsibilities as we discussed in CISO Mindmap, keeping oneself focused on value creation and security program improvements is not easy. The following four questions will help improve efficiency of the program by automation and picking right problems to solve.

  1. How can we automate this?
  2. Is this problem worth solving?
  3. Will this enable business or add value?
  4. What incremental improvement can we make today?

While my focus is information security community, these questions are relevant for all knowledge workers and leaders irrespective of their field of work.

Recent Posts

Subscribe to Blog

To keep updated with latest posts, please subscribe to this blog via email.

Posted in Entrepreneurship, Leadership | Tagged , | Comments Off on Four Questions CISOs Should Ask Themselves Everyday

Software Bill of Material and Vulnerability Management Blind Spots

Open source software is everywhere (which is not a bad thing in itself). However, many buyers don’t have inventory of open source components included in software products they are buying. Business even fail in keeping tack of open source components used in internally developed applications. As a result, vulnerability management programs have blind spots.

Take an inventory of open source software (standalone and libraries) and make it part of your vulnerability management program.

Why it matters:

  1. Use of open source software is not bad in itself. Everyone uses open source software. The biggest examples are Linux and Apache server.
  2. Many commercial software vendors use open source components but don’t properly and adequately disclose all open source components included in the commercial products.
  3. Recent vulnerabilities (e.g. log4j) have far reaching impact.
  4. Software applications developed in-house also include open source components. As these applications age and the initial developers move on to new jobs, older and vulnerable open source components may still stay in the applications unnoticed for long time.

What to do:

  1. It is crucial to have an up-to-date inventory of all open source software, whether used as standalone products or embedded as a library inside a product. We can’t manage if we don’t know its existence.
  2. Require your software vendors to provide you with a list of all open source libraries and their versions embedded into their products.
  3. Make this list part of the vulnerability management program. Monitor release of new vulnerabilities and patches for your inventory of open source software components.

When building a bill of material for open source components, it is imperative to not only contact your software vendors but also review all software applications developed in-house. In some cases you may use source code scanning tools to build inventory of these components.

Subscribe to Blog

Recent Posts

Posted in InfoSec, Open Source | Tagged , | Comments Off on Software Bill of Material and Vulnerability Management Blind Spots

Podcast: CISO MindMap and Recommendations for 2022-23

Recently we recorded a podcast with CISO Tradecraft focusing on CISO MindMap 2022 and recommendations for 2022-23.

As a reference the latest CISO MindMap is available here and detailed recommendations page is also available here. You can listen to the podcast shown below. Thanks to G Mark Hardy and Ross Young to make this happen and leading this podcast series.

Following is a list of my published books, in no particular order.

Cybersecurity Arm Wrestling: Winning the perpetual fight against crime by building a modern Security Operations Center (SOC)

And don’t forget to subscribe this blog using link below to keep updated with new posts.

Recent Posts

Posted in InfoSec, Leadership, SOC | Tagged , , , , | Comments Off on Podcast: CISO MindMap and Recommendations for 2022-23

EBK-Cybersecurity: Understanding Stock Market Terminology

Basic Stock Market Terminology for CyberSecurity Professionals and Why Should They Care!

June 26, 2022 – Rafeeq Rehman

The role of InfoSec professionals has morphed into a critical business function. One should expect getting involved in “business” discussion often, and at increasing higher levels of business structure up to board of directors. Understanding and speaking business language is more important than ever for the success of any InfoSec professionals.

As mentioned in my last post, I have started building body of knowledge for Essential Business Knowledge (EBK) needed for Cybersecurity professionals. The first domain on this body of knowledge is “Essential Business Terminology for InfoSec Professionals”. This post covers some of these terms related to stock markets, where to get this information, and why InfoSec professionals should care. The following diagram shows terms only in one category (Stock Market).

Domain 1 – Essential Business Knowledge (EBK) – Stock Market Terminology

Stock Markets

A very large number of information security professionals work in publicly traded companies. Company stakeholders (shareholders/investors, company executives, employees who own company stocks) have keen interest in performance of the company in the stock market. They use “stock market language” in business meetings and risk discussions.

Information security professionals should develop foundational understanding of the stock market to understand these discussions and to become a productive part of the conversation. 

Where to get stock market information?

Stock market data is available online from many resources. In the United States, you can get the latest data from one of the following (and many other) resources.

  • Yahoo Finance (finance.yahoo.com)
  • Google Finance (finance.google.com)

Public and Private Companies

For-profit commercial businesses typically fall into two categories: public and private. Public companies are those which are traded in a stock markets where any investor can buy or sell their shares/stocks. Private companies, on the other hand, are owned by a limited number of shareholders and these are not traded in the stock market.

Where to get stock market information?

  • Public companies are required to comply with many laws and regulations which are not applicable to private companies. Infosec professionals working in public companies are often involved in compliance, monitoring, and investigation activities.

Stock Ticker

Ticker is a symbol assigned to each company traded in the stock market. For example ticker for Apple Inc is AAPL, for Cisco it is CSCO, for Palo Alto Networks PAN and so on. There are usually multiple stock markets in each country with their own ticker symbols for stocks that are traded on those stock markets.

Why should infosec professionals care?

  • Stock tickers are commonly used in business conversations. You should know the stock ticker of your own company as well as tickers of major competitors.
  • Many APIs are integrated into corporate applications that use stock tickers. Infosec professionals may be engaged in security assessment of applications and APIs.
  • Applications used to track public sentiment and breaking news in social media also use ticker symbols. Some security operations centers may be using this information for real time awareness.

Market Capitalization

Market capitalization, also known as market cap, is the total value of a company calculated by multiplying stock price with number of outstanding stocks.

Market capitalization = share/stock price x total number of shares outstanding 

  • Market cap is a measure of a company’s worth as viewed by investors in the stock market.
  • Market capitalization is frequently used to show growth or decline of a company in financial terms.
  • Market cap is used to put businesses in categories. For example, companies with market capitalization larger than 10 billion are called large-cap companies.

Why should infosec professionals care?

  • Sometimes infosec professionals need market capitalization in risk calculations.
  • Impact on market cap after significant data breaches is an important metric.

Initial Public Offering or IPO

Initial public offering, also known as IPO, is the process by which a new company starts trading in a stock market. IPO is a very important event in the life of startup companies. After an IPO, the general public can invest in company stocks.

Investment banks help private companies establish their valuation and take them to the stock market. IPO established the initial market capitalization of a company. A ticker symbol is also assigned at the time of IPO.

Why should infosec professionals care?

  • An IPO is an important milestone for a company.
  • Companies may face elevated threat activity at the time of IPO intended to gather and sell financial data.

Insider Trading

Some people inside any company have access to financial information that is not available to the public for trading (buying or selling stocks). Insider trading  is when these individuals use or share this information for trading company stocks. All insider trading is not illegal. There are certain rules for the individual with insider knowledge to trade company stocks. Their trade of company stocks is legal as long as they abide by these rules.

Sharing insider information to outside entities is also a crime and there are strong penalties, including jail time, for people caught in such activity.

Why should infosec professionals care?

  • Some infosec professionals, as part of their investigation work, may get access to financial information not available to the public. In that case they should check with the internal legal/ethics team to understand if insider trading rules apply to them.
  • You may be asked to do an investigation (DLP systems, logs reviews, etc.) to determine if an individual(s) is involved in insider trading.
  • You may be responsible for risk assessment of financial systems and implement security controls to limit access.

Security and Exchange Commission – SEC

Securities and Exchange Commission, also known as SEC (sec.gov), is a US government agency with responsibilities to regulate stock markets, ensure fairness, stop illegal insider trading and investigate cases where it suspects market manipulation.

Why should infosec professionals care?

  • For public companies, complying with SEC regulations is crucial. Infosec professionals are usually involved in designing, implementing, and monitoring controls for SEC compliance.
  • SEC controls may involve data retention, access to certain data, monitoring communications of individuals and certain roles (e.g. traders).

What About Other Terms?

I know all of the terms are not covered in this post. However this provides the reader about what they expect when we expand other subcategories including:

  • General Management Terms
  • Budgeting and Financing
  • Sales and Marketing
  • User Experience
  • Legal and Compliance

Stay tuned!

Subscribe to My Blog

Recent Posts

Posted in EBK-Security | Tagged , , | Comments Off on EBK-Cybersecurity: Understanding Stock Market Terminology

Essential Business Knowledge for InfoSec Professionals

June 18, 2022 – By Rafeeq Rehman

The role of InfoSec professionals has morphed into a critical business function. One should expect getting involved in “business” discussion often, and at increasing higher levels of business structure up to board of directors. Understanding and speaking business language is more important than ever for the success of any InfoSec professionals. Knowing basic business lingo is also crucial for effective communication inside an organization.

Lack of basic business knowledge and common business terminology hinders success and progress. 

I have started creating a body of knowledge for basic business skills required for success of security professionals and elevating their status in the business hierarchy. Following are eight major domains of essential business knowledge for information security professionals.

  • DOMAIN 1 – Essential Business Terminology for InfoSec Professionals
  • DOMAIN 2 – Business Communication for InfoSec Professionals
  • DOMAIN 3 – Funding Requests and Managing InfoSec Budget
  • DOMAIN 4 – Working with Vendors and Partners
  • DOMAIN 5 – Building Alliances, Collaboration to Advance InfoSec Goals
  • DOMAIN 6 – Excellence in InfoSec Customer Service, Knowing and Serving Customers
  • DOMAIN 7 – Creating Business Value with InfoSec
  • DOMAIN 8 – General Soft Skills to Succeed as InfoSec Professional

While the diagram shown here is a draft version, a much more detailed body of knowledge and a program to acquire this knowledge/skills will follow.

What are Major Skill Gaps?

ISACA published a report on “State of Cybersecurity 2022” in which they presented their findings on the global workforce. The most striking of all the findings is Figure 14 of the report showing major skill gaps among security professionals.

At the top of these skill gaps is “soft skills” that includes communications, flexibility, leadership and others. This is similar to what we have been talking about creating a body of knowledge for Core Cybersecurity Skills and Practices. Please see a screenshot of Figure 14 from the ISACA report (the report is available for download at https://www.isaca.org/go/state-of-cybersecurity-2022).

Figure 14: ISACA Report on State of CyberSecurity 2022

 

References

Also check the following reference

Subscribe to Blog

Latest Posts

Posted in InfoSec, Leadership | Tagged , , | Comments Off on Essential Business Knowledge for InfoSec Professionals

CISO MindMap 2022 – Recommendations

I have included six specific recommendations with the recent publication of CISO MindMap. This article is to further elaborate on these recommendations, why these matter, and what actions information security leaders can take. The objective of this article is to provide context for these recommendations and a starting point to take some actions. The actual strategy will vary for each organization depending upon how their IT environment and networks are designed and implemented. 

Recommendation 1 

Re-evaluate ransomware defenses, detection and response capabilities, perform a business impact analysis and identify critical processes, applications and data.

Why it matters:

  1. Ransomware is widespread and will continue to be in the near future, as it provides a quick monetization path to attackers. In many industry sectors, it also touches human life and safety (energy, healthcare, manufacturing, shipping, etc.) making it even more impactful.
  2. Ransomware attacks have high visibility among corporate boards and executive leadership.

What to do:

  1. Perform business impact analysis with an objective of identifying critical assets, processes, applications and data.
  2. Evaluate security controls to protect these assets. Buy insurance.
  3. Test online and offline backups to ensure backups can be reliably restored within recovery windows.
  4. Evaluate your capabilities of dealing with ransomware attacks by mock drills and tabletop exercises.

Recommendation 2 

Reduce/consolidate security tools/technologies and vendors. More tools don’t necessarily reduce risk but do add the need for maintaining expertise on security teams.

Why it matters:

  1. A Ponemon study shows that the InfoSec teams have an average of 47 tools. Also, 53% of leaders are not sure if these tools are working.
  2. More tools need more staff, more cost, more probability of becoming shelfware.
  3. Fewer tools that are properly configured and fully utilized, actually work better in managing and optimizing risk.

What to do:

  1. Take an inventory of all security tools and their features.
  2. Identify feature overlap and eliminate redundancy.
  3. Eliminate shelfware (tools that are purchased but never used).
  4. Explore use of Cloud based subscription services. These are relatively easy to maintain over time.
  5. Simplify!

Recommendation 3 

To serve your business better, train staff on business acumen, value creation, influencing and human experience.

Why it matters:

  1. Studies from organizations like ISACA show that “soft skills” is the largest gap among infosec professionals.
  2. Work of infosec professionals impacts other fields in technology and business. Ability to effectively communicate and influence others is crucial to the success of your work.
  3. Security must become a business differentiator!

What to do:  

  1. Create a body of “essential business skills” that serves as curriculum for InfoSec professionals (refer to some of my work at my blog site rafeeqrehman.com)
  2. Train team on key business concepts: value creation, negotiation, conflict management, influencing, effective communication, human experience, listening, collaboration, KPI (Key Performance Indicators), NPS (Net Promoters Score) and others.
  3. Add a column to security controls databases/spreadsheets to monitor impact of a control on human experience (both +ve and -ve).

Recommendation 4

Take an inventory of open source software (standalone and libraries) and make it part of your vulnerability management program.

Why it matters:

  1. Use of open source software is not bad in itself. Everyone uses open source software. The biggest examples are Linux and Apache server.
  2. Many commercial software vendors use open source components but don’t properly disclose it.
  3. Recent vulnerabilities (e.g. log4j) have far reaching impact.

What to do:

  1. It is crucial to have an up-to-date inventory of all open source software, whether used as standalone products or embedded as a library inside a product. We can’t manage if we don’t know its existence.
  2. Require your software vendors to provide you with a list of all open source libraries and their versions embedded into their products.
  3. Make this list part of the vulnerability management program. Monitor release of new vulnerabilities and patches for your inventory of open source software components.

Recommendation 5

Build team expertise in technology fields including machine learning (ML) models, model training, API security, service mesh, containers, DevSecOps.

Why it matters:

  1. Business enablement requires InfoSec professionals to be on the forefront of innovation and provide guidance on how to utilize emerging technologies (or risk being a roadblock for innovation).
  2. Security professionals must learn new technologies, identify use of these technologies inside their organizations, and proactively build policies and standards for the use of these technologies.

What to do:

  1. As an InfoSec leader, Identify emerging technologies relevant to your business and encourage your teams to build expertise.
  2. Allocate budget for training or incentives for self-learning.
  3. Some technology areas are a must for every security team. These include basic understanding of machine learning (ML) models, how ML models are trained, modern Cloud application architecture, service mesh, containers, and DevOps.

Recommendation 6

Maintain a centralized risk register. Even better: integrate into your enterprise risk management program. Track risk for technology, insiders, processes, third parties, compliance and skill gaps.

Why it matters:

  1. Risk management is a key component of any reasonable security management program, yet many organizations don’t have a good idea about their overall risk.
  2. Corporate boards and business leadership need InfoSec leaders to get better at communicating Cyber risk.
  3. Cyber insurance companies’ demands for better risk management practices are only going to increase.

What to do:

  1. While proper quantification of risk is a great aspirational goal, many organizations can start with simple methods to track risk.
  2. Account for all major areas (technology, insider threat, process gaps, third parties, skill gaps in security teams, compliance, use of open source software) and adopt a consistent  methodology for risk identification, assessment, prioritization and treatment.

References

  1. Download CISO MindMap 2022
  2. 2022 ISACA Report on State of Cybersecurity
  3. Managing Cybersecurity Program Cost
  4. Ponemon Report: The Cybersecurity Illusions, The Emperor Has No Clothes.
  5. CISA National Risk Management Center (NRMC)
  6. Verizon Data Breach Investigations Report (DBIR)
  7. CISA Stop Ransomware website
  8. Blog post: Why we need to redefine CIA triad
  9. Blog post: What is service mesh and why should anybody care
  10. AWS Publication: Ransomware Risk Management on AWS using NIST Cyber Security Framework (CSF)

Disclaimer

Recommendations provided here are not professional advice. Cybersecurity is a complicated matter and actions may differ significantly based upon how the overall ICT networks and applications are designed and implemented. A thorough assessment of network and applications is necessary for specific recommendations.

Subscribe to Blog

Latest Blog Posts

Posted in cisomindmap, InfoSec | Tagged , , , | Comments Off on CISO MindMap 2022 – Recommendations

CISO MindMap 2022: What do InfoSec Professionals really do?

NOTE: An updated version of CISO MindMap has been published here.

Let me start with the quote from last year: Most people outside the Cybersecurity profession don’t fully realize and appreciate the complexity of a security professional’s job. Since 2012, CISO MindMap has been an effective educational tool and has enabled professionals to design and refine their security programs. Here is the latest and updated CISO MindMap for 2022 with a number of updates and new recommendations for 2022-23.

CISO MindMap 2022
CISO MindMap 2022

Please download PDF version for better printing quality.

What has changed?

With time, the responsibilities of security professionals are only increasing. Why? Technology is changing fast, bringing new ways of doing business, continuous adoption of Cloud, and many emerging technologies. Not only the Infosec professionals are “expected” to deeply understand these technologies, but also provide policies/guidance on how to secure them. For this reason, every year you find a few new things on the CISO MindMap. Like every year, few things are added, changed or removed from the MindMap depending upon their relevance. Changed items are marked in red for your convenience.

Other changes include but not limited to:

  • Remove duplicates
  • Merge branches with overlapping functions
  • Add NIST CSF references at high level, where possible.
  • In some cases more defined/accepted terminology has emerged. For example, Cloud Security Posture Management (CSPM) is a widely accepted term now. As a result, I have replaced some Cloud Security items with CSPM.
  • Expiration Date – A common issue is that many professionals still have older CISO MindMap copies. I added an “expiration date” to let people know when they should stop using a particular version. The expiration date for the 2022 version is the end of June 2023. The next version will be published before the current version expires.

Recommendations for 2022-2023

I know you already get plenty of recommendations from your vendors, industry analysts and pundits, and other “experts”. You also know that many of these recommendations may have some vested interests and/or biases. I make my own recommendations as a practitioner every year and try to be objective, avoid the hype, need for adoption in the next 12-18 months, and solely focus on what data and research shows. However, it is still my interpretation of data and facts and I may have my own unintended biases even with all objectivity and an evidence-based approach. For me, the most difficult part while making these recommendations is to pick as few as I can. The following list is longer than what I would like it to be but hopefully it would give you a few things to think about. The followers of MindMap would quickly realize that some of these are the same as of last year.

  1. Re-evaluate ransomware defenses, detection and response capabilities, perform a business impact analysis and identify critical processes, applications and data.
  2. Reduce/consolidate security tools/technologies and vendors. More tools don’t necessarily reduce risk but do add the need for maintaining expertise on security teams.
  3. Train staff on business acumen, value creation, influencing and human experience to serve business better. I can’t emphasize this enough.
  4. Take an inventory of open source software (both direct and indirect use) and make it part of your vulnerability management program.
  5. Build team expertise in technology fields including machine learning (ML) models, model training, API security, service mesh, containers, DevSecOps.
  6. Maintain a risk register.

I am eager to listen to your viewpoint on these recommendations, why or why not!

How to use CISO MindMap?

I receive messages from many professionals about how many different ways they are using the CISO MindMap. Over the years, it has become a great tool for many of you and I appreciate your feedback and kudos. Following are some of the ways this MindMap is quite helpful:

  • Have you been asked what you really do as a security professional? The CISO MindMap is one way for answering the question and explaining it to people. I have heard from many professionals that this MindMap is extremely helpful in explaining the complexity of a CISO job, especially to a business audience.
  • A means for guiding conversation with other technology professionals.
  • SANS Institute uses it as part of the Security Leadership Poster.
  • Designing and refining security programs.
  • Some security vendors use the MindMap for awareness.
  • CISO group discussions and/or community meetings.

Obviously there is a lot on this MindMap. The stress on people who have these responsibilities is real. If nothing else, this MindMap should help leaders recognize that stress and do something about it. I covered this topic (stress) in my latest book Cybersecurity Arm Wrestling: Winning the perpetual fight against crime by building a modern Security Operations Center (SOC) as well.

Translation to other languages

Some of you have offered to translate the MindMap into other languages. I really appreciate it and look forward to working with you to have a few translations completed this year.

Acknowledgments

Many people have contributed to the thought process behind this MindMap over the years. This time we had a LinkedIn Group to gather suggestions and comments from the community. While many provided feedback, the following is an alphabetically organized list of people and organizations who provided “specific suggestions” for improvements. If I missed anyone, please send me a message to make corrections.

Your suggestions contributed towards overall enrichment of the MindMap. Additionally, I am thankful to all community members who use and share their experiences. Your input is highly appreciated!

Copyright © Note

This MindMap is copyrighted material. However it is absolutely free to all (like water and air) with no strings attached, as long as it is not altered and not used to make money. When using this MindMap, please cite the source properly so that recipients can receive future updates.

Subscribe to Blog

Recent Posts

Posted in cisomindmap | Tagged , , , | Comments Off on CISO MindMap 2022: What do InfoSec Professionals really do?

Essential skills to start any career path in information security

Essential Skills for InfoSec paths
Essential skills for all infosec career paths

Many career paths in information security are well-established and new ones are emerging. Although there are specific skills required for each career path, some skills are fundamental and essential for each of these career paths. These essential skills are listed below and anybody wishing to be successful in information security should build a strong foundation in all of these.

  1. Foundational information security principles 
    • Confidentiality, Integrity and Availability (CIA), fundamental security architecture, least privileges, need to know, access controls, 
  2. Operating Systems and Cloud – Linux/Unix, Windows, Cloud, Mobile operating systems. Fundamental hardening methods for these operating systems
  3. Networking and application protocols
    • Very good knowledge of common Internet and application protocols TCP/IP, DNS, HTTP, SMTP, SSH, routing protocols etc.
    • Knowledge and hands-on practice for routers and switches, packet capture tools, nmap, curl, and other tools to be able to know what is happening on the network.
  4. Scripting and Programming
    • Shell scripting, Python, understand how web applications are built, HTML, JavaScript, SQL/Databases
  5. Encryption technologies – PKI concepts, TLS, data security
  6. Written and verbal communication

Posted in Leadership | Comments Off on Essential skills to start any career path in information security