Six fundamental models that always fill my personal and professional life with joy, pleasure and satisfaction
Do the right thing, always – This is my first model of a joyful life, explained to me by a school senior friend. If you do this, you will never regret anything from the past, career choices, business decisions or personal relationships. It takes a lot of courage, but you will have a contented heart all the time.
Create value for people – “Your value” is directly proportional to the value you create for others. Measure your actions by how much they benefit others, whether it is a business meeting, a family dinner, or social media post. Always serve the people around you.
Embrace imperfection – There is no perfect time to launch a product, start a business, pursue a degree, or change career. You will never have perfect information to make important decisions. Embrace imperfection, “good enough” is much better than “perfect”.
Be generous to people – Be generous in your praise of people, in sharing credit, in giving favors. Be a giver. Be generous with people who disagree with you. Giving favors is the best investment for your career and your personal life. The best thing is that you know when you are generous.
Simplify everything – Complexity is the biggest enemy at work, home, in relationships, and with friends. Be simple, do simple things, have simple ideas, simplify things for people. Be single threaded to improve productivity. Use images, diagrams, and analogies to explain complex things.
Fail often – Fear of failure keeps people from achieving great things and miss career opportunities. Fail, because if you have not failed in a long time, you have very likely missed many opportunities. Overcome the fear of failure, you don’t have to prove anything to anyone. Abandon your comfort zone.
While many people and organizations have been praised for their philanthropic work and poverty alleviation, the open source movement does not get the credit it deserves. I would argue that no other work comes even close to what the open source software movement contributed and achieved. How? Let me explain just a few points.
Access of modern operating system for Universities
Before Linux was a thing, a vast majority of universities in the developing world could not afford purchasing expensive multi-user operating systems and the machines they used to run. People remember how expensive Sun, IBM, Vax and other systems (hardware and software) used to be. As a result, it was very difficult for students of these universities to gain modern skills, get high paying jobs in the emerging software industry, and pull their families out of poverty. Linux changes much of it. It was free, it ran on cheap commodity hardware, and it opened a world of new possibilities for millions.
Startups and software development
The open source software packages, compilers like GNU, and other development tools made software development accessible and enabled common people to build software applications and start their own businesses. It made innovation and large scale job creating possible.
Enabling the Internet
The Internet would not be what it is if there were not the Apache web server, open source databases, and other tools that run the core of the Internet engine. Think about the opportunities and wealth that has been made possible through the Internet, thanks to open source software that runs most of the Internet services.
AI/ML and emerging technologies
Open source software libraries for Artificial Intelligence (AI) and Machine Learning (ML) are core to the expansion of this field as well as other technologies that fuel IoT, Cloud, and DevOps.
Today a large number of Internet connected devices run on some version of Linux, most of the Internet servers run Linux. Same is true for mobile devices. The credit goes to a large number of enthusiasts building open source software and organizations protecting the movement from legal challenges. The open source software is the engine of innovation, human progress, and wealth generation. Directly or indirectly it continues to pull people out of poverty. More than anything else, it is changing lives for many and making the playing field level for everyone.
References
Shahid H. Bokhari and Rafeeq U. Rehman, Linux and the developing world – IEEE Software, January/February 1999, pp. 58-64, vol. 16
There are many reasons that make Secure Access Service Edge (SASE) an appealing concept. Major among these are moving from corporate data centers to the Cloud, need to work from anywhere, reducing complexity, and use of applications delivered as SaaS. The SASE hype is at its peak and all major security &network vendors are embarking on the SASE train. However, there are many factors that can derail this train and it is yet to be seen if market is ready for large scale SASEE adoption.
Factors to Consider
SASE is not a single technology. One of the objectives is to provide a combination of many capabilities into a single platform. However, reliance on single platform has its own side effects. Any major security issue with a SASE vendor could create problems. For example, in the face of a major security incident, while it is plausible to shutdown part of IT infrastructure, turning off a SASE platform may mean shutting down the business.
Many small businesses have limited budgets/IT staff with no separation of security and network and could be good target for SASE adoption. However, any sizable medium and large businesses have separate security teams. People who have worked in corporate world for a long time, are well aware of cultural issues and dynamics that play a key role between security and network teams. How these two cultures come together is yet to be seen.
Adherence to the key security concepts including separation of duties, defense in-depth with multiple technologies, using technology components that provide a single function, still need some reconciliation with the notion of convergence and use of a single platform.
Why it matters?
To implement a SASE platform, key decision makers need to fully evaluate the factors mentioned above, keeping in view risk factors, cost, and complexity. The alternate to using a single SASE platform is combining best capabilities from multiple vendors.
Who should care?
There are multiple parties who have some stake in SASE decision making. These include but not limited to:
CISO – manage risk
CFO – save money
CIO – manage complexity and budget
What is next?
A “complete” SASE platform does not exist yet. Businesses need to make careful evaluations of vendor offerings, avoid “me-too” solutions, and think in the long-term as adopting a SASE platform.
Most people outside the Cybersecurity profession don’t fully realize and appreciate the complexity of security professionals’ job. I have been publishing and updating this MindMap for almost a decade, not only as an effective educational tool but also to enable professionals to use this MindMap for designing and refining their security programs. Here is the latest and updated CISO MindMap for 2021 with a number of updates and new recommendations for 2021-22.
The responsibilities of security professionals are only increasing and CISOs are finding themselves in the middle of more things than they wish to be. Why? Technology is changing fast, bringing new ways of doing business, continuous adoption of Cloud, and ever-expanding uses of machine learning (and AI in a broader sense). Infosec professionals are “expected” to not only understand all of this but also provide policies/guidance on security of these technologies. For this reason, every year you find a few new things on the CISO MindMap. This year, I have also reorganized/moved a few items to more appropriate sections. So:
Items in red color are new that did not exist last year.
Items in blue color are not new, they are just rearranged in a different section of the MindMap.
I hope this color coding will help you understand what has changed.
Recommendations for 2021-2022
I know you already get plenty of recommendations from your vendors, industry analysts and pundits, and other “experts”. You also know that many of these recommendations may have some vested interests and/or biases. I make my own recommendations as a practitioner every year and try to be objective, avoid the hype, and solely focus on what data and research shows. However, it is still my interpretation of data and facts and I may have my own unintended biases even with all objectivity and an evidence-based approach (by now some of you may have figured out that I am not a machine, although the Age of Spiritual Machines has long been predicted and is on the horizon). For me, the most difficult part while making these recommendations is to pick as few as I can. The following list is longer than what I would like it to be but hopefully it would give you few things to think about.
Re-evaluate your ransomware defenses, do a business impact analysis, especially in areas where ransomware may impact the physical world and human safety.
Reduce/consolidate security tools/technologies and vendors (less is more in many cases).
Monitor Cloud mis-configurations in real time and at machine speed.
Adopt borderless network strategies (SASE, Zero Trust, and/or whatever you want to call it).
Think about cooperative/collaborative SOC strategy.
Train staff on business, ML models, model training, service mesh, containers, DevSecOps.
Plan for government shutdown of a critical software or service provider due to security issues and supply chain attacks (hope this never happens but supply chain attacks in the past 12 months warrant need for preparedness).
Item number 5 above is a long-term consideration and is not really a new or earth shattering idea. However, it is something to consider seriously for sustainability and to remove some of the insanity in security operations. If you don’t agree, I am eager to listen to your viewpoint and why.
How to use CISO MindMap?
I continuously get messages about how many different ways people are using the CISO MindMap. Over the years, it has become a great tool for many of you and I appreciate your feedback and kudos. Following are some of the ways this MindMap is quite helpful:
Have you been asked what you really do as a security professional? Well, this is one way for answering the question and explaining it to people. I have heard from many professionals that this MindMap is extremely helpful in explaining the complexity of a CISO job to a business audience.
A framework for guiding discussion.
SANS Institute uses it as part of the Security Leadership Poster.
Designing and refining security programs.
Some security vendors use the MindMap for awareness.
CISO group discussions and/or community meetings.
It could be a great time waster if you have nothing else to do on a Friday evening, or, to say “why would anybody do that”?
This is a copyrighted material but is absolutely free to all (like water and air) with no strings attached (as long as it is not altered and not used to make money). My request is that when using this MindMap, please cite the source properly.
Secure Access Service Edge or SASE is a relatively new concept. The goal is to connect users from anywhere to applications, data and services hosted in any place (Cloud, corporate data centers or Software-as-a-Service platforms). The basic idea is to simplify technology infrastructure by combining commonly-used network and security services in a single platform and deliver this service from the Cloud.
What would it take to implement a SASE strategy?
Many vendors have started creating their “SASE platform” that include technologies such as SD-WAN, Cloud based firewall, Zero Trust networking, Cloud Access Security Broker (CASB), Secure Web Gateways (SWG) and others. However, a SASE strategy goes beyond technology platforms and must include the following four components:
SASE technology and platform that integrates individual SASE components and is delivered from Cloud.
The underlying network transport (Dedicated internet, broadband, wireless, private network, etc.) that enables SASE.
Managed network service combined with a SASE platform to provide a fully managed SASE service.
Threat monitoring, detection, and response
Why should you care?
At this point, the SASE market is evolving and almost all vendors are struggling to build their “SASE story”. Businesses, who are consumers of these platforms, are also confused about their long-term strategy and which vendor to pick from an evolving “me-too” marketplace.
Which SASE providers are likely to succeed?
Businesses who rely on their technology partners for managed services will tend to look at network/telecom service providers (to acquire all four components of a SASE strategy as listed above). Businesses who manage their network and security internally are most likely to go with SASE vendors that focus on user experience and simplicity through a common management platform (single pane of glass) that provides integrated SASE management and monitoring options.
There is a lot going on with Cloud computing, containers and micro services. Following is a summary of what information security professionals need to know about one very important idea: the Service Mesh.
What is it? Service Mesh controls, monitors, and secures service-to-service communication (also for container-to-container communication)
What does it achieve? It moves/offloads security of communication from “service/application” to platform.
Where is it placed? It sits “next to” service as a set of proxies and usually part of Kubernetes cluster.
How does it achieve its goals? Service Mesh implements a control plane and a data plane. The control plane enforces policies whereas data plane enable communication among services.
Is Service Mesh useful in every case? It is only beneficial when your application uses micro services. Also, if your application uses a service bus like Kafka, Service Mesh will not buy you much.
What a service mesh can do? It can provide necessary security, reliability and observability functions. For example, it can implement transparent mutual TLS (mTLS) to establish communication between two services. It can also help identify latency and measure errors in inter-service communications (and much more). From a reliability perspective, a Service Mesh can perform actions like load balancing and retries in case a communication fails.
Why Should InfoSec Professionals Care?
Confidentiality, observability, and reliability of container-to-container/service-toservice communication is of great interest to infosec teams in modern microservices architecture.
Why use Service Mesh, especially in the Cloud? Since communication between two services hosted in the Cloud takes place over Cloud infrastructure controlled by Cloud service providers (CSP), it is essential to ensure end-to-end encryption to protect confidentiality of information flowing between two services. With mTLS, Service Mesh provides both authentication/authorization as well as confidentiality by encrypting all traffic.
Can we enforcement policy and implement zero trust architecture? Yes, with service mesh, zero trust for containers and services can be realized.
Open Source Service Mesh Technologies
There are many technologies available, both in open source as well as from CSPs. Two commonly used open source technologies are listed below:
The PDF version of my latest book “Cybersecurity Arm Wrestling – Winning the perpetual fight against crime by building a modern Security Operations Center (SOC)” is now available for download. You can share this link, print it, and use it for your personal purposes. However, you are not allowed to modify it, or distribute in any shape of form. Thank you!
You can still get printed copy of book from amazon.com if you choose to do so using the following URL.
There are few things that every architect should do but most forget. As you know, there is no shortage of technology architecture frameworks and standards. You may have come across TOGAF for enterprise architecture and SABSA (Sherwood Applied Business Security Architecture) for security architecture. Without going into detail of any of these, I just want to touch base on a few things that every architect should keep in mind to ensure success of themselves as well as people around them (engineers, developers, operations, etc.).
These are: Business, Operations, Technology and Service or “BOTS”. When creating architecture for security projects, everyone should focus on “BOTS” which are the perspectives and “views” listed below:
Business View – First and foremost, ensuring that the architecture meets business needs. You may have a perfect architecture but it may hinder business instead of enabling it.
Operational View – Don’t forget the operations. Someone has to run it on a day to day basis. Operations teams are one of the main stakeholders but often forgotten. Consider how your architecture will make their life easy and not difficult.
Technology View – I know this is already the main focus area of all architects. However, technology has many aspects that are ignored sometimes. These include cost, maintainability, complexity, maturity etc. You should remember that complexity is the enemy of security. Complex systems are not only difficult and expensive to maintain, many times they are not as secure as simple systems.
Service View – Whatever you are building, at some point “people” are going to use it, directly or indirectly. Consider the service that you are providing and usability of the overall system. A multi-factor authentication could be very cumbersome or very transparent for the end users. You know which one would be more successful!
Business, Operations, Technology and Service (BOTS) views are essential for success of any information security project. In my last 20 years of experience, I have seen many projects either completely fail or not realize their potential just because architects forgot about one or more of the BOTS views. Don’t do that!
My latest book “Cybersecurity Arm Wrestling: Winning the perpetual fight against crime by building a modern Security Operations Center (SOC)” is published and available on amazon.com worldwide.
This is a relatively short book with 11 chapters, three sections and about 130 pages (excluding front matter like table of contents). I will be looking forward to getting your feedback to make improvements for the next editions.
Please subscribe to this blog for updates and new posts
The final draft of “Cybersecurity Arm Wrestling – Winning the perpetual fight against crime by building a modern Security Operations Center (SOC)” book is complete and is available for download and your comments. The book consists of ten chapters as listed below:
Introduction
SOC Business Case Development
Logs and other data sources
SOC Human Resources
SOC Technology Stack
SOC Implementation Planning
SOC Operations and Incident Response
SOC Staff Training and Skills Development
Threat Intelligence and Threat Hunting
Open Source Solutions for SOC
The final version will be published on paper and will be available through amazon.com for purchase and may contain additional content (based upon additional reviews). The expected timeframe for paper copy is April 2021.
Download the PDF Version
You can download the final draft version immediately from is this URL.Please provide your comments, recommendations, and any suggestions before the final version is published as paper copy.
Acknowledgments
I am extremely thankful to many individuals who provided their input and reviews to make this book better. They include but are not limited to the following:
