Program Architecture Fight the Good Fight

Business executives consider what is necessary to protect the company. It comes down to people, process and technology, organized within an information security program. Everything has its place within the program, including business processes, assets and the right blend of controls to protect them.

This book describes program architecture, the discipline of designing, implementing and leading information security programs.

• Prove Yourself Ready Now

• Team Development and Retention

• Program Maturity

• Influence Support and Funding

• Cyber Threat Intelligence

• Third Party Risk Management        

• Metrics and Reporting

• Insider Risk Monitoring and Response

• Threat Landscape and Controls Analysis

• Conduct an Assessment

• Crisis Communications

• Control by Governance

This book provides practical advice in the areas of cybersecurity and operational risk management. The goal is to provide readers with practical advice they can use upon return to work.

Chapter abstracts:

Chapter 1

Prove yourself ready now

This chapter provides practical advice to prove yourself 'ready now' for a cybersecurity management role. The journey begins with a view from the executive’s side of the table and how to speak in terms of risk. There is an overview of risk management, with tips for influencing risk mitigation. Focus transitions to how a communications plan can make you more effective as a leader. There is practical advice for developing presentation skills with limited stress and anxiety through a four-step approach. With that skill in-place you can communicate program statuses to executives. Professional development and C-Level presentation round out the chapter.

Chapter 2

Team development and retention

This chapter provides leaders with practical advice for developing employees in their current role, with tips to help them move laterally or to pursue promotion to management. The focus shifts to management routines throughout a calendar year, including performance and development plans, communications, financial acumen, talent review and program architecture. The chapter begins to conclude with performance calibration, succession planning, promotions and retention risk.

If you are an individual contributor with a goal of being promoted to leadership, there is a significant value in this chapter. There are also activities behind the scenes that you should know about in your current role.

Chapter 3

Program maturity

Information security professionals must focus on maturity within cybersecurity and operational risk contexts. This chapter provides guidance to improve program maturity within four levels. It starts by establishing a foundation with a control framework, laws, regulations and contractual obligations. Next are common controls, necessary and common sense from an information security perspective. Active risk management includes types of analysis, assessment and mitigation. Strong risk management is conducted by organizations that have a very low risk tolerance. This risk-prioritized approach can be used to influence funding. So that's part of the strategy, you need support and funding to mature the program over years.

Chapter 4

Influence support and funding

Influencing change with business and IT executives is a learned skill. This chapter begins with five areas of focus to influence support and funding. The concept of ‘bring friends’ solicits the support of other operational risk functions. Management routines are provided as effective ways to mitigate risk, including a risk register process, a cybersecurity committee, tabletop exercises and a cybersecurity risk management framework. Three risk analysis methodologies are provided as practical advice to communicate security risk. Tips to develop financial acumen include two budget slide examples. The chapter concludes with emphasis on the need to be a change agent and to close on projects, initiatives and risk mitigation.

Chapter 5

Cyber threat intelligence

A Cyber Threat Intelligence (CTI) Program drives change to adapt to emerging threats and new technology. That change reduces incident occurrence, with a goal of preventing an incident from becoming a data breach. The chapter provides practical advice to establish a CTI program that generates system hardening, threat hunting, monitoring and incident response. CTI inputs are detailed within advisory subscriptions and six other categories. CTI activities continue with an intake process, processing an advisory, taking action and CTI meetings. CTI program architecture continues with security monitoring alerts and tips to establish a threat hunting program. The chapter concludes with adversarial tactics and CTI program indicators.

Chapter 6

Third party risk management

This chapter describes designing a Third Party Risk Management (TPRM) program. It details the end-to-end process: identify, risk rank, assess, risk treatment, monitor, oversight, escalations and decommissioning. A framework is provided as a program outline, with decision points to select from. Options presented will help mitigate third party risk, whether you have an existing TPRM program or if you need to establish one. This chapter is also an example of program architecture in practice. These concepts can be used to design, implement and lead other risk management programs. The goal of this chapter and this book is to provide you with practical advice you can use upon return to work.

Chapter 7

Metrics and reporting

This chapter provides practical advice to establish information security metrics, Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). It begins with an explanation of the differences between them and why each is necessary. Mid-level details of the end-to-end process are provided, from creating a metric to entering it into production. Examples of how to design metrics, KPIs and KRIs are provided. Areas of focus include information security measurements for all organizations, for a new process or function and in alignment with a control framework. The end game is to measure if processes and controls are functioning as designed. This chapter includes metrics and reporting readers can leverage upon returning to work. That saves time and helps influence risk mitigation.

Chapter 8

Insider risk monitoring and response

This chapter provides practical advice to establish insider risk monitoring and response capabilities. Insider threat is discussed in the context of a threat landscape matrix. Provides tips and examples to overcome reluctance to insider risk management due to corporate culture. Provides an order of implementation to influence the next step forward. Data exfiltration controls provide results early-on. Evidence-based inferences give Human Resources a level of comfort. Continuous monitoring detects suspicious activity by an employee or contractor. An incident response process is included. Maturity increases with monitoring triggered by behavioral indicators and when an employee tenders resignation. These practices provide protection for the organization and are likely to produce results. That enables a clear business case for a second phase of program development.

Chapter 9

Threat landscape and controls analysis

Threat Landscape and Controls Analysis is organized to start from business management’s side of the table. We begin by considering the inherent risk of the organization. Provide an overview of potential adversaries, techniques for compromising data and the cybercrime ecosystem. Describe the potential for impact, while citing reliable sources. Reference the organization’s risk tolerance. Describe the organization’s assets. Pivot into cybersecurity with protection boundaries, control framework and risk assessments. Provide fair and balanced analysis by documenting risk mitigation and recent accomplishments in that domain. Detail residual risk with recommendations for new processes and controls. Conclude with a summary statement that praises the organization’s risk culture, with recognition for conducting risk analysis.

Threat Landscape and Controls Analysis can be used within an assessment report as a preamble for findings and recommendations. It also has utility as stand-alone analysis to present cybersecurity issues to C-level executives and the Board of Directors.

Chapter 10

Conduct an assessment

This chapter provides practical advice to conduct cybersecurity assessments. It details the end-to-end process including: scoping, 15 steps to develop work papers, scheduling, on-site assessment, report preparation and presentation. The first assessment example leverages the NIST Cybersecurity Framework for coverage across security domains. This chapter also addresses follow-on assessments. Readers are encouraged to evaluate lines of business and to take deep dives into critical functions. Tips and examples are provided to create testing procedures. The chapter also provides an assessment report framework. The assessment presentation phase includes a slide deck framework covering the threat landscape, assessment methodology, findings and recommendations, Strengths, Weaknesses, Opportunities and Threats (SWOT) and next steps.

Chapter 11

Crisis communications

This chapter provides practical advice to support crisis communications in a cybersecurity context. Provides rationale for establishing a Crisis Management Program from an operational risk perspective. The compliance validation section references requirements from NIST cybersecurity and privacy frameworks. Details how incident response and crisis management teams work together. Includes recommendations for a crisis communications plan, holding statement templates, a data breach notification matrix and a distribution plan. Provides lessons learned and ten reputable practices to communicate effectively. The chapter begins to conclude with legal considerations for an Incident Response Plan. The call to action section outlines a three-year plan.

Chapter 12

Control by governance

This chapter provides practical advice to assert control through governance processes. Transition common information security tasks to a Governance, Risk and Compliance (GRC) Analyst (24 activities). Increase retention by focusing information security professionals on cybersecurity. Influence support and funding through a customized control framework. Implement activity task scheduling to ensure process execution. The chapter concludes with proactive measures to identify and mitigate risk such as issue management, security architecture reviews, system health checks and process governance. Governance oversight and separation from operations provides risk transparency to senior executives and the board of directors. These processes and management routines provide a pathway to Enterprise Risk Management.