If you want to understand maturity, watch a jazz concert. Much of what you hear is improvised, right there before your eyes. The music you hear is so well integrated, it seems that it’s already been planned. But in fact the musicians are making it up as you watch. How?
They are following a set of rules that they have practiced countless times when they were not in the room with you. They use keys, chord progressions, scales and they learn to detect signals from each other that indicate when one musician, regardless of the instrument, wants to take the lead or may want to change things a little. However, they’re following a set of rules that enable them to improvise. Underlying structure is enabling overlying agility.
In cyber security, such a combination is crucial.
Often when we talk to IT professionals about maturity, we hear answers in the form of documents. We read plans and assessments that are impeccable. However, when we look at how the organization operates on a day-to-day basis, we often do not see this backend work manifesting itself in how members of the team are performing. In some organizations, teams seem to be following unwritten rules, but at times expend time and resources learning the lessons the hard way. The lesson is that cyber security maturity is not measured in pages, and documentation does not always lead to maturity.
Plans, Procedures and Assessments Should Be Firm but Flexible
“History doesn’t repeat itself but it often rhymes,” Mark Twain said. Well, so do threat actor attack patterns. They talk. They share. They copy. One of the truly frightening facts of the current threat landscape is that so much of it has become commoditized. That is, one threat actor may find a practice that works, and sells it to others because it does work. Other threat actors will copy slices of attack functionality and incorporate it into their own. In some ways, threat actors are becoming more mature than the people who are trying to defend against them.
To properly defend against these threats, defenders must learn what works document it and share it. That does not always mean a 100-page document. Although I have written a few long documents that many did not finish reading. Organizations should start with a need, whether it is a compliance mandate, a business or technical need or threat, and develop documentation that is easily accessed and quickly ingested. People should not need to read for 30 minutes to find the information they need. Things like searchable databases, wikis and portal pages allow those who need to find a solution quickly. Although sometimes maligned, applications like Microsoft SharePoint allow managers to control content while promoting collaboration. Such material can be quickly exported to document format for review and approval to be prepared when the eventual auditor comes calling.
Set Aside Time to Take a Breath
In his book, 7 Habits of Highly Effective People, Stephen Covey described managers as people enabling people cutting through the forest by ensuring logistical needs were met. He described leaders as those who would climb to the top of the tallest tree and shout, “Wrong forest!” In a similar way, cyber defenders need time to reflect on what they are doing, and ask how and where their efforts are paying off. In the Agile methodology, after each sprint, a “retrospective” is performed in which the team evaluates what went well and the obstacles encountered. A similar reflective pause is helpful in cyber security, when individuals can take the time to reflect and evaluate where and how their efforts are effective.
In his 14 Points, W. Edwards Deming lists as his sixth point, “institute training on the job.” The point he was trying to drive home was to standardize training, not so that it’s overly rigid, but so that it ensures that lessons learned and validated in one place of the organization, are understood in others. Taking the time to confirm that all cyber defenders are on the same page enables them to improvise in a way that enhances the effectiveness of the whole team.
Routines Should Be Trained and Practiced
When I was an Army company commander, I remember one of my soldiers being asked in a promotion board, “Are you nervous?” After the soldier said he was, the sergeant major leading the board said, “You know what will make you not nervous? Some right answers.”
Many organizations learn what to do during a breach when a breach happens. Although this kind of experience is (in a sadistic way) beneficial, the emotional trauma that results can be minimized if everyone understands expectations prior to the breach. Do your team members know their role during an incident? Do they know the kinds of information for which they will be asked? Breach post mortems can be brutal. Performing so-called “rock drills” or tabletop exercises can enable cyber security defenders to rebuild confidence, not only within the team itself, but also in clients and non-technical leadership.
Lessons Should Be Captured and Shared…Widely
The field of cyber security is fluid because technology is fluid. Threat actors are constantly learning and exploiting vulnerabilities, both technological and human, and the platforms organizations use are also constantly evolving. So, too, must an organization’s cyber security capabilities. One of the most beneficial ways to share information is to include the various people who use and maintain it. Often times, when a particular vulnerability can’t be patched, a vendor will recommend a particular workaround. If the workaround breaks functionality, the organization could implement a self-induced denial-of-service attack by implementing the workaround. By involving all those who contribute to cyber security, such as developers and administrators, a fuller picture of what must be done can develop. Don’t hoard information into the silo of cyber security, but rather include the doers. If you have adequately convinced them of the importance of the threat, they will often find ways of mitigating the risk in unique ways.
Maturity is not a page count. It exists when how you envision your cyber security is in harmony with your reality. Let cold, hard reality bring practicality into your documentation and ensure that your knowledge base is enriched by the knowledge of your professionals. After all, you hired them for a reason.