Professional Documents
Culture Documents
By the time you have reached this step in the process you now have been with your organization
for several months. You have reached out to your stakeholders, team members, and peers and
have proceeded to build the human network you will need to grow your cyber security program
throughout your organization.
By now you should also have collected much of the data specified in Step 2 “Inventory.” This
data is crucial for you to better understand the enterprise network environment, data,
applications, and people you are tasked as CISO to protect. This information will give you the
inside view of how your organization works, how it uses data, and the particular data types that
are critical. Remember, not all data is created equally and hopefully during the “Inventory”
process you learned more about your stakeholders’ workflows and what types of data and
technology are important to them.
All of the information you now have from Step 1 “Meet & Greet” and Step 2 “Inventory” will
come together in this step of the process. In “Assessment,” you will now take this background
and strive to give it some context…to give it meaning that can be used to build your project plans
and future budgets. In “Assessment,” you will make a judgment call based off of this collected
information and your experience. You will look at this data and assess your security program’s
level of maturity, where the security program is in its life-cycle, and document any gaps found
for follow-on remediation. With “Assessment,” there are three phases that I have found as CISO
you will typically go through to come up with the end product, namely a security controls gap
assessment. This assessment will contain security controls that will need to be updated or
implemented to reduce risk to the organization. Some of these identified gaps in security controls
will result in long term projects that you will need to include in your future budgets. The three
phases of “Assessment” are as follows:
In regards to the previous step it may look pretty easy, but remember you are reviewing a large
amount of information and assessing the state of your cyber security program from a maturity
life-cycle perspective. Decisions made at this step will have long-term impacts on your future
budgets, project plans, department technology road-maps, and the overall quality of your cyber
security program and its services that you provide to your organization.
1. Verify the Health of the Security Suite – In this phase, you will review the data you collected
from “Inventory,” most of this data is in document repositories or databases such as a
Configuration Management Database (CMDB) or an IT Asset Management (ITAM) database.
What I look for here is to understand what equipment I have as part of the security suite, how old
the equipment is, has it been updated, do maintenance contracts exist, and is there a program in
place to upgrade or replace legacy equipment. If you start to look at your lists of hardware and
notice many of them are “End of Life” (EoL), you will need to annotate this on your security gap
list. This is critically important because EoL equipment many times no longer receives security
patches, this results in unintended doorways into your network that you will need to re-mediate.
Effective cyber security is supposed to make it harder for the bad guys to get into the enterprise
environment, not easier – so if you notice you have a large amount of legacy equipment that is
end of life, you will need to list it by priority of what needs to be replaced first. My experience
suggests that many stakeholders (be they line managers or executive board members) are
unaware of the risks posed with using end of life equipment. This issue will lead to not only
security risks from the use of the out of date, legacy equipment but financial risks caused by the
unscheduled request for funding to replace this equipment. These requests for capital are
unplanned for organizationally and can put a strain on your organizations operational budget. I
typically list them starting out with routers, firewalls, sensors, & switches. I am sure there are
many people who would argue differently but just remember if you have a large disparate list
don’t be afraid to ask for help in prioritizing what needs to be replaced first. The insights from
other stakeholders will be especially valuable relative to this prioritization. Good risk-
management skills really come into play with this effort. Remember the organization may set
priorities for you based on budget, business processes, etc. and this is where you want to use
your relationships with your vendors and resellers to see what types of programs they have that
you may want to leverage to get more hardware or software at a cheaper rate or price. The main
thing to remember is don’t panic if it’s a large list, prioritize what your needs are and use this
information for the projects and budget in the steps to follow.
3. Measure Security – In this final phase you will pull it all together by reviewing your security
suite’s technical requirements, reported metrics, and then select a framework with which to
measure your cyber-security program’s maturity. So to begin this stage, the first action I would
recommend you do is to meet with your team, security architects, and network engineers. You
want to verify that the security suite you have in place, from a technical view point, is meeting
the requirements for the Cyber Security strategy that is presently implemented in your
organization. Remember, this is the current Cyber Security strategy plan that is in place. You
will have the opportunity to make changes to the plan and fine tune it to the vision that you want
as a CISO later. Part of this process will be to pull reports, monitor logs, and verify your security
suite is operating as efficiently as it should. Do not be afraid to ask your team if there are
additions or modifications that can be made to reduce risk to the organization. I have found over
the years that my teams will have innovative ideas about how the security suite can be tuned for
better performance to protect the corporate environment. It is during these discussions that I
would recommend a review of any standing security metrics used to measure your programs
performance. Some metrics I have used in the past:
• Patch Latency – how long from the time updates are issued to installation.
• Baseline Scan coverage – Percentage of organizations assets covered by antivirus, firewall and
malware/APT solutions (94%-98%) is good.
• Ratio of compromised machines to user base – I like to keep mine below 1%, (If I have 10,000
users I want to have less than 100 machines per month infection rate).
• Incident response time – time measured from report of incident to remediation.
• Percentage of incidents detected by equipment type measured against overall number of
incidents.
• Mean-Time between security incidents & time to recovery
• Percentage of systems/assets without vulnerability issues after scan, allows you to see if your
systems are configured and patched correctly and is very interesting to watch this shift over time.
• Information Security budget as a percentage of overall IT budget, hopefully this is increasing
overtime.
• Mean-Time between infection to detection, with many of the new attack vectors the quicker
you are able to isolate and re-mediate the asset the better.
The next action to complete is to review the current contracts and SLA reports you have with
your vendors for a second time. I have found from previous experience that once you have
reviewed all of this information about your organization’s enterprise environment, you are able
to approach the contract/SLA requirements again with a new frame of mind and certainly new
insights that would have never surfaced too early in the process. Take another look at these
contracts and SLAs and ask yourself “Am I measuring all of the contract metrics I need for
security?”, “Are there other data points that my team collects that will help me paint a picture of
the exceptional job my team is doing?” and, finally, “Are there any more metrics we can collect
that provide visibility as to how we are providing value to the organization?” All of these
“security metrics” are very important. I have seen them used as the driving reason why a project
gets budget and I have seen them used to justify hiring new personnel. I cannot stress the
importance of understanding your numbers. You want to be in control of them and the picture
they paint about your security program to upper management.
Finally, you need to select a framework(s) to assess the maturity of your cyber-security program.
I have used multiple frameworks in the past and to me they provide a key component that you
need as a CISO to measure the progress, or lack thereof, of your security program. Frameworks
provide you with a reference to measure and baseline the effectiveness of your current cyber-
security program and also a foundation to build upon. What framework you select will be based
on the business environment your organization operates in and the types of data (data categories
is very important) it processes, stores, and transmits to 3rd-parties. To start with, I like to take a
good solid framework to use as a quick snapshot of the health of my cyber-security program. I
would suggest you use something like the SANS Top 20 Security Controls as this will allow you
to verify that your program has the basic recommended security controls in place. If you are
missing something from this list, don’t panic, just create a risk matrix and list which control you
believe is missing or not implemented correctly. After you have completed this step, I would
then recommend you move to a more in-depth security risk-assessment framework such as NIST
SP 800-53 or ISO 27001/27002 and proceed through the listed controls and sub-controls as well
as the enhancements and supplemental guidance. Doing this process with a framework such as
NIST or ISO can be very tedious, but I have found it makes you look at your collected
information and picture the technologies, processes, and networks in an “outside the
organization” assessment point of view. You will find when doing this exercise that there will be
security controls that apply and that there will be many that don’t. The main thing to remember
here is to document in a risk matrix all of the controls that apply and annotate which ones you
believe are missing or not implemented fully. Once you have completed this step, I would
recommend next that you look at all of the industry/compliance type frameworks that apply to
your organization based on the types of data you currently process, store, and transmit. You will
find that that the compliance frameworks are very similar to what is covered in NIST or ISO.
However you need to remember the compliance frameworks have teeth – if you do not meet
controls under them your organization can face substantial penalties and fines. Your
organization’s counsel may also have insights into regulatory requirements that may need to be
addressed. Certain data types have different control requirements and data retention periods that
should not be overlooked. If you meet with your organization’s stakeholders and counsel and
they have a “deer in the headlights” look in their eyes, you know you’ve been given an
opportunity to do some cyber training. Add that to the list as well.
By the end of “Assessment,” you now know the health of your security suite based on
information you collected during the “Inventory” phase and the multiple processes you have
gone through during this step. You now possess a list of recommendations from your team and a
list of equipment that will need to be upgraded. You also have reviewed the contracts and SLAs
that fall under your purview as CISO for a second time and have documented what metrics apply
and new ones that need to be implemented. Also, at this stage in the process, you have reviewed
your current policies and projects, noting what policies need to be updated and projects that may
require further scrutiny. Finally, as we finish this step you have taken all of your collected
information and knowledge about the organization’s enterprise environment and measured it
against multiple frameworks. You have created a risk matrix within which you now have
documented the controls that apply to your enterprise environment and you know which ones are
“security gaps” and that will need to be re-mediated.
As you finish this step you will have come a long way as CISO, you are now intimately familiar
with your enterprise environment and the policies and procedures in place to manage it. You now
have multiple lists of hardware, policies, and security controls that will need to be corrected or
re-mediated. You now have all of the components for what’s next, Step 4 “Planning.” Here you
will pull your lists together and create your strategy for what you want to do as CISO. It is in this
next step that as CISO you must remember “Security doesn’t work in a vacuum, however it
excels in a Community.” I would recommend you include your team in the next step, use
“Planning” to mentor and lead your people, and teach them why Cyber Security provides value
to your organization and is a business enabler.