CSOL-550 -Management and Cyber Security, Fall 2019
I was introduced to the notion of the leadership aspect of cybersecurity in businesses through CSOL 550—Management and Cyber Security during Fall 2019. Our teacher was Professor Donald Biedermann; a retired United States Marine Corps Communications and Information Technology Officer. Aside from using online resources, we used primary two books:
Iannarelli, J. G., & O’Shaughnessy, M. (2015). Information governance and security: Protecting and managing your company’s proprietary information (1st ed.). Oxford, UK: Butterworth-Heinemann.
Touhill, G. J., & Touhill, C. J. (2014). Cybersecurity for executives: A practical guide. Hoboken, NJ: John Wiley & Sons.
Throughout this course, several new concepts were introduced. I learned the best practices to develop the technical leadership capability of an organization with an emphasis on cybersecurity. I have learned how to develop an Information System Security Plan (ISSP). I have learned how to conduct an audit and compliance of an organization and to put together a contingency plan to address cyber incidents as they will happen soon or later for an organization as long as it is connected to the Internet. As part of this section, I have chosen to comment on three artifacts: Cyber Security Auditing, Staffing, and Conflicts Between Cyber Security & Corporate Practices.
Before providing new insights and key understandings of the above three sections, let me say some words about what the Information System Security Plan (ISSP) is and why its development, implementation, and execution are important to be part of any cybersecurity strategy. By definition, an ISSP can be one or a set of documents an organization put together to define its structure around security controls as wells as roles and responsibilities.
Shawn Hays (2018) stated that "For starters, a System Security Plan (SSP) is an iterative document meant for updates as the company changes anything substantive about its security posture. Much like a well-kept Wikipedia page, every major update or remediation needs to be recorded and reviewed by other individuals. Information like network diagrams, administration roles, company policies, and security responsibilities by employee type are important for a complete SSP." As far as comparing and contrasting ISSP to Security Policy, ISSP is very narrow and changes so frequently while Security Policy is wide and updates are not frequent are they are on ISSP.
Having an ISSP proves invaluable to an organization as it guides a business through a set of rules to improve the protection of information system resources. According to Swanson, Hash & Bowen, in their SP 800-18 Rev 1 publication (2006), Information Systems Security Plan (ISSP) Is "an organization document that spells out the protection of the system. Its objective is to improve the protection of information system resources. " And Ron Stamp (2016) will go one step further but stating that the ISSP is a set of documents, not one, but several each addressing policy and procedure with some evidence of implementation of security controls."
Sometimes an example can convey better an idea than talking too too much. The vast majority of people now has cell phone that we use not only at home but also in the office. We even connect these phones to a corporate network. In principle, employees should not be connecting these devices to the corporate network, but when the company lacks an ISSP, it becomes difficult to enforce. So, the ISSP in this context plays a vital role in achieving cybersecurity strategy as it will spell out the conditions these smart personal devices will be connected to the company network to avoid exposing the business to risks.
Conflicts Between Cyber Security & Corporate Practices
Cyber Security is a relatively new discipline. Business management, in contrast, has come a long way. I'm not sure when does the science of managing a business was introduced to society so that we have CEO, CFO, Vice President of HR, and so forth, but I suspect it has been a very long time. And when something is not new, practices are in place that we follow to ensure success. Some practices, as we move along, are eliminated if not efficient, some are replaced with others, and improvement is being injected throughout all those years; standards established, and common-sense instincts developed. So, business management is a mature human activity that is well known to people, especially leaders worldwide.
Business entrepreneurs, for example, focus on getting maximum benefits and better return with a minimum of investment. But then computers and the Internet came along, and with this, the birth of cyber age and its consequence.
While leaders find unparalleled benefits to use computer technology in sustaining their business operations, they did not anticipate its side effects. Being connected to the internet has proved to be very efficient in running an organization; however, leaders were finding it hard in the recent past to invest in cybersecurity. They know their corporate information, such as intellectual property and trade secrets, provides a powerful competitive advantage for their businesses and need to be protected. But this newcomer in town appears to be a bit too demanding and disruptive to practices already in place.
Cybersecurity in the leader assessment appears to use jargon that is only well understood by information technologists. Part of this is due to a lack of better communication. Consequently, there were push backs across the board. Cybersecurity practices, in a certain sense, were viewed as a hindrance to business expansion and performance opposing business practices leaders have come to rely on. According to Gregory Touhill (2014), the resulting language gaps create barriers that sometimes produce organizational friction, lack of communication, and poor decision-making.
So, yes, there are some conflicts between cybersecurity practices and corporate practices. Cybersecurity benefits are not well understood, therefore leading to push back when looking to implement a security policy. According to the Cloe Biscoe (2018), some reasons employee's negative behavior toward cybersecurity: “There is no clear reason to comply, the cost of compliance is too high, the means of compliance are obstructive.”
It appears the main reason that fuels this unsatisfactory climate is the misunderstanding of the benefit of cybersecurity in a business setting. Cybersecurity professionals are to educate people in simple terms what cybersecurity is all about. We need to convey to the mass why we need to make cybersecurity part of our culture since the use of the internet will not go away any time soon; businesses will increasingly use this means of communication with no end in sight and bad actors will increase sophistication in hacking techniques. And to reduce conflict inherent between cybersecurity practices and corporate practices, those in charge of communicating security policy need to do so in a more effective way. Again, Chose Biscoe (2018) suggests the following as techniques to reach the goal. These were part of a recommendation by the Psychology of Information Security;
(a). Articulate the benefits – ensure to position any new processes or tools in a way that highlights the benefits to each group.
(b). Provide clear steps – clearly, outline the steps to allow staff to realize these benefits.
(c). Communicate frequently at the right level – communication needs to start at the top of an organization and work its way down so that priorities and expectations can be aligned.
When approaching the cybersecurity implementation in this angle, it will increase the likelihood of adoption of security policy, leaders will see its benefits, and conflicts will be mitigated.
Cyber Security Auditing
Cybersecurity audit is a formal process a Cyber Professional Information Auditor undertakes to assess the cybersecurity level of a given organization and to submit the findings to the executive team, so they are aware of risks, if any, the organization faces, identify the controls in place meant to mitigate risks and evaluate the efficacy of those controls in hope to trigger corrective actions (ISACA, n.d) . According to Melissa Stevens (2016), a cybersecurity audit acts as a checklist that confirms that what an organization says in its policy is what is taking place, and there is a way to verify it being enforced.
It is an important principle to define the audit, meaning establish a list of all the business assets. Since not all assets will be audited, this list will be used to separate those assets to be audited, which are the most valuable, and those excluded from auditing. Assets can be computers, data, and networks. The Institute of Internal Auditors in his assessment (n.d) stated the important role the internal audit plays in assessing risks in an organization, taking into consideration "which assets are the likeliest targets for cyber attacks.”
Assess Current Security Performance
Here, after establishing a list of threats, the next step is to evaluate the implementation of the actual security controls. This phase should be conducted by an external security auditor to limit biases in evaluating its implementation
Take time to prioritize threats by weighting the potential damage a threat can have
Provide Security Solutions
This list will summarize what the elements are to be included in a cyber audit as below.
Elements in a cyber Audit
When someone is about to engage in conducting a cyber audit for an organization, the natural question he should ask himself is, what tasks are to be undertaken to do an audit. Businesses make an effort to come up with policies, training, and security controls as a response to the rise of threats. The goal of the audit is to come in and assess the effectiveness of these implementations and provide suggestions when appropriate (ISACA, n.d). The audit can include but not limited to:
Data security policies relating to the network, database, and applications in place. Clear evidence must be provided to validate that indeed, there is a policy, the audit will then consist of checking the different statements in there and see how they have been implemented. According to Fennelly C. (n.d), “Your security policies are your foundation. Without established policies and standards, there's no guideline to determine the level of risk.”
Controls and Threats
An audit takes into account the verification step of the implementation of controls.
Internal Network Configuration
Here antivirus software is checked, software patches and updates, backup, and data recovery solutions.
Staffing a Cybersecurity Department
Managing a business is a huge undertaking, especially in a context of globalization where competition has increasingly become fiercer on virtually any sector of businesses. This state requires a business to be more efficient for their survival. A lot of parameters are to be considered when managing a business. The size of the business, the sector, the cost, balancing in-house and outsource workforce, and so forth, to name a few. Adding to this long list, the urgent nature of cybersecurity threats to address. This new elephant in business surely comes with its challenges that make managing a business more difficult. Part of this is the need to bring in quality, educated staff. Protecting information is an imperative business cannot ignore. The major issue with cybersecurity is managing the business information in a globally connected world. Even in the name of reducing cost or convenience, it will not be a light decision to go ahead and offload the control of information to an external partner.
The approach in staffing a cybersecurity team for sure will be different from one organization to another and from a small to a big one. This document does not consider this. Comtact (2017) noted that “What works well for one organization may not be the best for another. First, you need to understand what options are available, and secondly, the best fit for your requirements.”
Compare and Contrast Analysis
In-house IT staff
(a). An employee becomes a familiar face each day.
With an in-house employee, you can count on him that for the most part when security issue happens, help will be there with no delay, and from a familiar face
(b). The employee is a member of a team
The mutual relationship between an employee and the company becomes beneficial from both parties. The employee on his side does his best for the success of the enterprise while the employer becomes more invested in his employee for the long term, fruitful relationship. According to Jones, Anthony (2017), "in-house employees have a more vested and ongoing interest in tending to the health of a company and can work on proactive measures to promote a safe computing environment."
(c). Work at a deliberate pace.
Vigeant, Steven (2015) noted that the ability to work at a slow but deliberate pace is an advantage. An in-house employee can spend more time on an issue and document it throughout the processes which will be beneficial to the company
Hiring in-house can be expensive. The reason is that in-house staffing will most likely, depending on the size of the company, require more than one person, which adds up to expenses, especially on small organizations. According to Whitman, Michael E., Mattord, Herbert J. (2011), "Where small organizations spend more than $5000 per user on security, very large organizations spend about one-eighteenth of that, roughly $300 per user." pg166
If a company can only afford a very limited amount of cybersecurity personnel, then some employees will have to hold several roles. The risk is that entrusting so much information into a single person is a big risk. How about if the employee leaves with no advanced notice or that he becomes malicious toward the company?
Having in-house staff will force the company to take ownership of providing training updates to his workforce. The training is necessary since technology evolves.
Fully outsourced IT functionality
A solution that is 100% fully outsourced, I will say, should or does not exist since the organization will still need at least one person internally to coordinate with the 3rd party partner. But, let assume this solution does not have anyone inside the company to coordinate; here are the pros and cons of this option.
(a). Reduced cost
The solution to outsourcing cybersecurity staffing is way low on cost. This solution also is appropriate for small organizations that cannot afford in-house staffing.
(b). Expert availability
The business benefits from a pool of experts that can address his issue effectively since most of those talents may have the experience, education, and credentials a company needs.
(c). Excel to retain business
Outsourced providers, also known as Managed Service Providers (MSP), want to do business with their clients, and usually, they will go above and beyond what the contract has specified to overcome competition and retain their clients. This mindset is to the benefice of the company that is outsourcing its staff.
(b). The benefit of a 24/7 monitoring option. Hackers are not there to strike only during business hours; unless an in-house staff is available, outsourcing can deal with this easily.
Outsource team addresses most of the issues remotely, which may frustrate the company if they are not resolved on time.
On urgent matters, sometimes the company can experience a delay, or a service level agreement that has a more aggressive response speed can be costly.
A Hybrid Model
This hybrid model is a very realistic approach. Companies nowadays use this option even for several other services, such as call centers or cleaning offices. They have these solutions where a 3rd party takes care of the company customer support while the company itself has very limited personnel more on managing the outsourced team.
(a). It combines the best of both worlds, in-house, and outsourcing. Most of the benefits of fully outsourced options apply here also.
(b). On top of the pros mentioned above on the fully outsourced option, the company can outsource some part of the cybersecurity activities while keeping the upper sensitive areas inside while still benefiting the expert knowledge of the partner.
(c). The company has some control over some aspects of the cybersecurity duties. If there is an urgent issue, and a delay is expected from the partner, the company residual personnel can work on addressing the issue while waiting for the partner's response.
(a). Depending on the size of the skeletal team to work on cybersecurity issues, training will still be required as technology evolves, and updates are made mandatory to be at the top of the game.
The issue of hybrid and fully outsourced models are the risks the company faces using personnel they have no control over. Entrusting confidential information, even though the company manages to put in place some safeguards in their contract, is a huge gamble. Even with binding contracts, people will do things that can be stunning and above whatever contract says. The example of Edward Snowden comes to my mind.
This National Security Agency, NSA, whistle-blower contractor who leaked classified information. According to the MacAskill, Ewen (2019) from the Guardian, that on May 20, 2013 " Edward Snowden arrives in Hong Kong, where a few days later he meets with Guardian journalists, and shares with them a cache of top-secret documents he has been downloading and storing for some time. "
Biscoe Chloe (2018, February 6), Resolving conflicts between the security team and the rest of the business. Retrieved from itgovernance website: Resolving Conflicts
Comtact (2017, November 22). Pros and cons of outsourcing your Cyber Security - In-house, MSSP, or Virtual SOC? Retrieved from COMTACT website: Pros and Cons of Outsourcing
Eitan, K. (2017, November 15). How to Conduct an Internal Security Audit in Five Simple, Inexpensive Steps. Retrieved from Dashlane website: How to control Security Audit
Fennelly C., (n.d). IT security auditing: Best practices for conducting audits. Retrieved from TechTarget website: Best Practices for conducting audits
Jones, A. (2017, November 21). Outsourcing IT Security vs. Hiring an In-House Specialist. retrieved from Partners website: Outsourcing IT Security
ISACA (n.d), Cyber Security Audit. Retrieved from ISACA website: Cyber Security Audit
MacAskill, Ewen (2019, September 13). 'They wanted me gone': Edward Snowden tells of whistleblowing... Retrieved from the Guardian website: They wanted me gone
Ron Stamp (2016, May 16). Planning for a System Security Plan, Retrieved from Info Security Advisor website
Planning for a system security plan
Shawn Hays, (2018, DECEMBER 17, ) What is an SSP and POA&M? What's the Difference? Retrieved from Summit7 website
What is an SSP
Stevens, M. (2016, October 20). Cybersecurity Audit Vs. Cybersecurity Assessment: Which Do You Need?. Retrieved from Bitsight website: Cyber Security Audit Vs.
The Institute of Internal Auditors (n.d), Assessing Cybersecurity Risk. Retrieved from AICPA website: Assessing Cybersecurity
Touhill, G. J., & Touhill, C. J. (2014). Cybersecurity for executives: A practical guide. Hoboken, NJ: John Wiley & Sons.
Vigeant, S. (2015, June 19). In-House vs. Outsourced IT Staffing: The Pros and Cons. Retrieved from Data Evolution website. In-House vs. Outsourced IT
Whitman, M. E., Mattord, H. J. (2011), Management of Information Security, Third Edition. Course Technology, Cengage Learning. pg 166
I have chosen to comment more on Conflicts Between Cyber Security & Corporate Practices, Cybersecurity auditing, Staffing a Cybersecurity Department artifacts for strategic reasons. Cybersecurity is a new field where a lot of things are still to be learned. And because of this state, businesses were not evaluating the benefits of this necessity until recently. But then incorporating cybersecurity practices into the fabric of overall corporate business has been a source of friction as it runs against corporate best practices. The business executives need to assess the return on investment before making a financial decision. Cybersecurity, unfortunately, is not always about ROI, hence conflicts.
The need to bring light on this aspect is the reason I chose Conflicts Between Cyber Security & Corporate Practices, as part of the three artifacts. Secondly, cybersecurity, as it stands today, does not start or inserted in the business at its creation. In most of the circumstances, a business already exists, and they realize they need to implement security. The new demand will undoubtedly require some audit so to know what exactly exists and build security up from there. This understanding was the reason I incorporated the audit artifact in my study. Lastly, staffing a cybersecurity department can be a huge undertaking. So far, what businesses have been doing is to try and fail. There is no clear, proved method of the type or model of staffing to follow that has been in use elsewhere. The lack of proven methods, combined with the speed at which things change in information technology, pose a true challenge to business leaders. Everything appears new; so the rate of trying this and that is high. Some will say, In-house staffing 100%, others will say, no, outsource the entire cybersecurity is the way to go, while some conservative advocates chose the middle ground and opting for the hybrid model. So, choosing how to staff a cybersecurity department as my third artifact allowed me to discuss the pros and cons as part of the different types of staffing models.
Furthermore, a cybersecurity professional aspiring to leadership roles should invest time in learning some of its principles. This class has offered me with that expertise. At one point during the training, the question was to evaluate the benefits of using hackers to Identify and assess vulnerabilities. At first, you will think this request does not make sense. Businesses are there, working tirelessly in trying to avoid being hacked, but then the leader is being asked to do just that. But, looking at it closely, it has its benefits since the hacker will have some experience, coming on-board, of where and how to find vulnerabilities.
This advanced knowledge will reduce the cost of inside engineers that are still learning how to navigate the cyber threats minefield effectively. This new perspective injected a professional quality I was lacking before this course and add to the ethical aspect of a cyber professional. It is not that only those that come with a background of not being labeled as hackers will perform well or will have more value; hackers went through a lot of cybersecurity scenarios that can be put at use for the benefit of the company. It will be up to the business leader to make the call. And what I have learned is that several companies are doing this practice of hiring hackers. This approach may be unprofessional or ethically wrong. Still, it is worth mentioning, so things come full circle as this provides an understanding a cybersecurity leader needs to make informed decisions.