![]()
Chapter 1
Designing a Cybersecurity Program
My experience has shown that most cybersecurity programs do not originate from a comprehensive design. Rather, they tend to evolve based on disparate opinions of stakeholders who often change strategies and approaches without considering or addressing fundamental design problems. Your organizationās success in defending against internal and external bad actors will hinge on the completeness of your cybersecurity program. As a manager involved in cybersecurity within your organization, how can you ensure that you have all the right pieces of cybersecurity in place to close any gaps that might serve as hidden passages of attack? The answer is to follow a prescriptive design approach that blends experience-based guidance with authoritatively sourced resources. Adopting this approach not only identifies the gaps, but it leads to the development of cyber-gates to block intruder passages.
Cybersecurity program design will require you to know a little something about systems architecture, including blueprints, frameworks, and models. This chapter allows you to go to the front of the line, bypassing years of training and working in the field. Your pass to the front of the design line comes from my sharing of approaches to designing cybersecurity programs that have served me well over the years.
This chapter will help you to:
- Learn that investing the time and effort to properly design your cybersecurity program is tantamount to its success.
- Create a properly structured cybersecurity program.
- Leverage good practices to improve your cybersecurity program design.
1.1 Cybersecurity Program Design Methodology
Over the course of my career, I have either developed or assessed over one hundred comprehensive cybersecurity programs. Going by Malcolm Gladwellās 10,000-hour rule, I qualify as an outlier on assessing cybersecurity programs. This experience has granted me the insight that there are certain common denominators of the most successful programs; these are the focus of the chapter. I will share with you the good practices I observed across the many cybersecurity projects I have been involved with. Depending on the size of your organization and scope of your program, you may wish to eliminate or combine some of the components I present. I begin with components that address the overall management of the cybersecurity program and end with components that address the daily management of program countermeasures. The order of the components is less important as each component operates in parallel with one another.
1.1.1 Need for a Design to Attract the Best Personnel
Cybersecurity programs rely on talented contributors and their retention. A properly organized program enables personnel to see how they contribute to the programās vision and mission. To help you achieve the proper program structure, I provide what I believe is an ideal state blueprint. Trust me when I say that in todayās highly competitive cybersecurity jobs market, attracting and maintaining personnel will be a challenge. If you build a program that is disorganized and messy, it will be difficult for you to attract anyone to man the ship.
If you look at the various security architecture and design books available, most will be hundreds upon hundreds of pages that I know most of you simply do not have the time to read. This book is much different; it focuses on just what you need to know. This chapter sets your journey in motion by discussing the basic design considerations of building a cybersecurity program. When building anything, it is best to have a methodology to follow. Dozens of methodologies exist by many names, but their message is the same: There is a sequence to follow when building something if you want it done right. What I learned quickly was that unless you follow a design methodology, the results of your efforts will be unpredictable. For example, if you wait to align your program with the business, you risk facing an expensive program redo when your stakeholders inform you that you have managed only to create an inhibitor to their business. Cybersecurity program staffing and personnel issues are discussed in Chapter 6.
1.1.2 A Recommended Design Approach: ADDIOI Modelā¢
After doing my first dozen or so programs, I realized that the approaches I had been using lacked an emphasis on services and processes. They aligned more with building a physical product. I needed an approach which would accommodate building something that was service oriented. Figure 1-1 is what I refer to as the ADDIOI Modelā¢ (align, design, develop, implement, operate, and improve). It has proved quite useful over the years.
I arrived at my methodology by adopting phases of the ADDIE Model (analysis, design, development, implementation, and evaluation). ADDIE, originally developed in 1975 for the US Army by what was previously known as the Center for Educational Technology at Florida State University (Forest, 2014), provided about 80% of what I was looking for in clarifying my approach. ADDIE has been adopted and modified by hundreds of consulting companies throughout the world.
Starting with the ADDIE Model, I made subtle but important changes in constructing my ADDIOI Model (align, design, develop, implement, operate and improve) methodology. The first difference is that I declare analysis as a process within the align phase to emphasize alignment to the business from the start. I added operate as a phase to emphasize the design was oriented toward processes and services. While my phase that I call improve is the same as evaluate in the ADDIE Model, I named the phase improve to emphasize continuous service improvement and that action is required to correct inefficiencies. Figure 1-1 shows a representation of the ADDIOI Modelās phases as a continuous improvement circle.
Figure 1-1. ADDIOI Modelā¢. (By Tari Schreider, licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License)
1.1.3 The Six Phases of the ADDIOI Modelā¢
The phases of the model include:
- Align - This phase is where you identify your organizationās business goals and align them to the capabilities of the cybersecurity program. Always remember the business is your benefactor paying for all your cybersecurity gizmos, so alignment is crucial. You must show the value of your program by demonstrating how it reduces operational risk. A key outcome will be program design requirements. The align phase is an ongoing process and supports the improve phase.
- Design - This phase is what this chapter predominately addresses - designing the structure of your cybersecurity program. Here you create your program blueprint to show stakeholders the vision of the final product and validate alignment to the business in a concrete manner. For example, if one of your business goals is to maintain regulatory compliance, compliance capability should be reflected in your design.
- Develop - This phase is where you configure and test the cybersecurity countermeasures called out within the design requirements. Development may also include creating or modifying application code to support cybersecurity countermeasures. For example, integrating an access authentication or single sign-on solution will require application integration. Countermeasure testing provides the basis to create experience-based implementation plans and acceptance criteria to move countermeasures from test to production. Information technology (IT) infrastructure is locked down (hardened) in this phase, making it resilient to cyberattack. Develop and customize are the primary activities of this phase.
- Implement - This phase is the execution of implementation plans to āgo liveā with your cybersecurity countermeasures developed in the previous phase. You should strive to create a culture of security with your training program, instilling the human firewall philosophy, your first line and many times your last line of defense. This is the phase where you will organize cybersecurity program staff around the programās components. Onboarding security service providers occurs within this phase. Deployment and training are the primary activities of the implement phase.
- Operate - This phase is where the day-to-day management and operations of the cybersecurity countermeasures occur. Most commonly referred to as security operations (SecOps), security tools administration, threat monitoring, and the security service desk are located here as well. The service desk is an IT function that serves as a single point of contact for customers to resolve their computing or applications issues. Other parts of the cybersecurity program such as cyber threat intelligence may use security tools; however, SecOps generally handles their daily administration. Program sustainability is the primary focus of the operate phase.
- Improve - This phase is the process of continuous improvement. Most cybersecurity programs operate as a good practice, but moving to a best practice requires continuous improvement. I discuss the difference between good and best practices later in the chapter. Key performance metrics and regular assessments are used to baseline the program, and a maturity model is used to guide program improvem...
