There are two areas of human endeavor where security and performance has improved dramatically during the last hundred years, with a pace that does not seem to be slowing down significantly: Aviation and Medicine.
A powerful reason for the advances in medicine is the use of evidence-based practices, since the 90s, while aviation uses a system whereas both accidents and close calls are thoroughly investigated and the lessons learnt applied across the aviation industry with very little regard for politics, convenience or stepping on sensitive toes. Both endeavours are as complex, if not more, than cybersecurity, and they have shown how seemingly intractable complexity can be tackled.
It is not like those disciplines are completely free of problems, and they have their share of critics, but the essential quality of evidence-based practices is that they are self-correcting. If you are doing it wrong sooner rather than later it will come to light, and it will be possible to fix what was being done wrong. This is not the case with practices not based on evidence.
Vinnie`s Handbook lays out a practical way to go about cybersecurity management, with the intention to apply an evidence based management style to cybersecurity with the minimum fuss and overhead possible. This means taking parsimony to an extreme, so several worthy, if potentially academic, subjects like: The advantages of applying the scientific method to cybersecurity, What is an operational definition?, What exactly is to measure something? What are levels of measurement? What is a model? What is a method? What is an emergent property? What is a process?, Why should you use the Kung Fu Panda communication style?, and What makes these concepts more or less useful?, are not discussed. Nevertheless, I think it is fair to acknowledge that there are some ways cybersecurity management is not like other types of management, among them:
- Cybersecurity leaders most often need to work with incomplete information. In all but the smallest organizations we will not know everyone, we will not know every system, how it is used and how it is built
- As Cybersecurity leaders we need many people to either change how they do things or do things for us, but alas, they are not working for us. This means we need significant influence but we don’t enjoy much leverage. Ideally this influence should be extended to decision making at the highest level possible, including the board of the organisation
- When successful, the final result of cybersecurity is… nothing. No incidents. A side effect is that it is hard to tell those who are good at cybersecurity management to those that are just lucky
- Due to the previous point, you can’t get twice as much security for twice as much investment. As it is hard to know how much security you are getting, it is almost impossible to know if the investment is proportional to how much security is necessary, and often will be or too low, and sometimes too high
- Not every information system contributes to business needs to the same degree. A breach of your customer database has vastly different implications than a compromise of an internal event scheduling tool. Securing all systems equally often leads to investing too much in some areas and too little in others
- It is difficult or impossible to determine if we succeed or fail. Does one incident alone mean we are no good? How many incidents indicate failure? If we can’t answer this last question, does that mean that we always succeed, regardless of the number or severity of incidents?
I can admit actual implementation of cybersecurity management is very different depending on the industry and the scale of the organisation. I present here the general principles of cybersecurity management, without delving if one or hundreds of persons will be involved in getting it done.
How to use this Handbook
This handbook is for people who want a brief and practical overview of cybersecurity management, and particularly for cybersecurity leaders that want to validate their approach.
This is probably the best handbook you will read today, or even this week about cybersecurity. There are many advantages to using it, among them:
- You can use it in organisations of any size, budget and complexity
- Your organisation does not need to get “Vinnie`s Handbook” Certified.
- You can’t possibly become a “Vinnie`s Handbook” Certified Professional. There will only ever be one, me
This is the question I am trying to answer: How do you go about implementing a common sense, evidence based approach to cybersecurity.
Depending on your goals and previous experience probably it is helpful to set expectations. While I tried to create a natural and linear flow, there are too many cross dependencies to allow it. I suggest you read it like if you were using it to review your own way to do cybersecurity like so chapter by chapter:
First, Stakeholders and Assets: We need to start here as it is the stakeholders who define the success criteria.
Second, Success Criteria: Meeting a success criteria renders security, failing it renders an incident. This greatly simplifies management as we will later discuss.
Third, Periodic Protection Tasks: These tasks must naturally generate evidence, to facilitate management, and they include:
- Discovery of assets
- Prioritisation of assets
- Checking for vulnerabilities
- Fixing vulnerabilities
Fourth, Periodic Management Tasks: To steer the ship we need to:
- Periodically collect metrics counting evidence and create reports visualising them.
- Hold periodic steering meetings with relevant stakeholders reviewing reports, and taking decisions recorded in meeting minutes.
And fifth, Learning from Incidents (failure to meet success criteria) and making improvements to prevent them from happening again.
Besides the main five, there are five other chapters where you can jump if it will help you better grasp some details. You can read them in any order:
- Evidence, Metrics and Audits
- Procedures, Policies, Forms, and other Documents
- Security Architecture
- Management Antipatterns
- Onboarding new suppliers
And then we have the Annexes that are kind of nice to have and you can read or not:
- Management Style
- Career Mistakes
- Identity Management Vulnerabilities
- Learn More
You can get it here:
Vinnie's Handbook for Cybersecurity Leaders (English Edition)
