A long time ago in an organization far, far away… we had straightforward cybersecurity. There were relatively few assets, they were static and they accessed data through firewalls to prevent unauthorized access to a consolidated, authoritative data source: the network. Oh, and ‘apps’ weren’t a thing yet. We called them ‘programs’ or ‘applications’ and they were large, on-premises, and relatively homogenous. After all, if each business unit had their own SAP system, that would cost each department head their firstborn child. This was a predictable universe.
In this world, there were not as many security controls, threats, or meaningful data ‘out there’ on endpoints. To keep attackers out of our data, we simply fortified the perimeter with a few dozen (maybe 100) access controls and didn’t have to change much. To be a user was to be a corporate employee. To access data was to connect to the network.
Then, tragedy struck. Endpoints were no longer sourced from a single manufacturer, operating systems weren’t the same, networks were no longer fortresses for important data, users seldom connected to corporate systems as they brought their own mobile devices, and applications stopped running on boxes with magnetic discs, chips, and fans.
As the world changed, so did security. Networks used to be a dense nucleus with all the things necessary for the information-driven enterprise. There were endpoints swirling around the nucleus, but the ratio was manageable. Now, endpoints are escaping the gravitational pull of the network. When that happens, all kinds of atomic instability follows.
Thankfully, the NIST Cybersecurity Framework the entered the stage, and with it, a set of practices we can use to identify the far-flung devices that play host to sensitive data and routine compromises that can swiftly lead to data loss. Within the Identify category of the NIST CSF, as introduced in my earlier post, there are five disciplines that can help organizations deal with this mutated world filled with uncertainty.
First comes the process of consuming information that is relevant to the endpoints: intelligence. Making up asset intelligence, we have devices, systems, controls, data, users, and the facilities that support these computing functions. Asset Intelligence has evolved from simply cataloging the machines in your possession, to a frame of mind that considers the business function associated with the IT resource. Starting from this point, we can better equip ourselves to understand the necessity of the device and its attendant security measures, because it is treated as the resource it ultimately is.
When you consider other assets in your organization, say, a desk, you don’t tend to think about it as brackets, wood, physical dimensions, and so on. Instead, you synthesize a model and situation in which that resource will be used: “Jane Doe’s work space.” NIST CSF’s call for asset intelligence must adopt this frame of mind, because without the context of the individual resources, we do not get the whole story for how our resources are providing value that exceeds their costs and risks.
If asset intelligence is the ‘what’ of identifying resources, the business environment would be the ‘where’. To pinpoint and identify resources with any confidence, organizations must set priorities based on what’s happening in their business. Perhaps you just went through a merger or acquisition. Perhaps you provide computing resources for contractors, or your organization is turning everyone into a remote employee. These contextual variants are essential to better analyze the current state of your cybersecurity posture.
Businesses are like snowflakes: they are composed of the same material but configured in unique ways. If we don’t acknowledge this fact, identifying our current asset position will be hollow and less meaningful, which can only lead to failing to implement NIST CSF. With asset intelligence and the business environment in hand, we can start to apply principles and practices that help to ensure security intent is carried out.
Policy is the bedrock of all security programs, because at its very core it says, “This can do that; that cannot do this”. Of course, security and business policies are more complex. But when you strip away the controls, metrics, reporting variables, and regulatory requirements, you’re left with the realization that policy (what is allowed) serves to establish the baseline needed to see where your assets could be drifting from appropriate behaviors.
With a full understanding of your organization’s procedures, policies, processes, and regulatory requirements, you can grade your current security controls relative to these standards. The policies may need a revision; they may need to be scrapped. That is a matter of evidence. And the evidence is waiting out there in each endpoint device to measure its nearness or distance from your standards and policies.
This is often one of the most overlooked requirements for NIST CSF because we leap down to the specific controls that protect data, access, and computing functions. But when we step back and simply ask the question: “Does this device comply with our governance standards?” we get a cold splash of reality. This is the starting point for a far more interesting interrogation on the risks inherent in our policies and the real-world behavior of users, devices, apps and data.
One cannot assess risks without intimate knowledge of the device. Let’s take an example from biology. I am a human person. I come with standard equipment that can make me vulnerable to various dangers out there in the world. My vulnerable human body would not withstand an encounter with a live chainsaw.
But am I at-risk of amputation by chainsaw? No (because this is one of the reasons I avoid west Texas towns with deranged chainsaw slingers). The story is contrived, but the principle is valid: risks must be calculated with the vulnerable resource under the microscope, but also with a wide lens on the potential threats that could harm the resource. Both are essential. Without intimate knowledge (asset intelligence) you do not know what could happen. Without context (business environment) you do not know where it could happen. Without detailed understanding of policy (governance) you do not know what should happen. And without these core ingredients, the recipe for risk assessment never gets baked.
It is imperative when assessing risks to think about them in the fullness of your strategies and goals. Because risks need to be linked to how they can influence the outcomes of the strategic aim. This is the final piece of the Identify function of the NIST CSF.
Risk Management Strategy
This is more than a simple SWOT analysis or a roadmap for the years ahead. It comes down to the goals we have and how best to use technology to arrive safely to the destination. If an organization had the big, hairy audacious goal of being the world leader in consumer goods, their supply chain would be an appropriate place to put their attention. Supply chains are filled with waste, mishaps, multiple third-parties, and geopolitical influences that can derail your quest to global dominance. So, we implement technologies to overcome many of the challenges to achieve our strategic aims.
In the supply chain example, we may deploy just-in-time manufacturing and use mathematical models to simulate supply and demand probabilities. We may try to reduce risk of logistics failures by utilizing many sources for raw materials and shipping. We may put offices in certain locations to be ‘near the ground’ for things happening within the political and legal arenas that affect our operations. All of these are accomplished with technology, specifically, information technology.
As information is flowing and secure, it gives decision makers confidence. They are basing decisions on data with high integrity. This kind of reasoning must factor into our pursuit of the NIST CSF. Without a thorough understanding of our inherent risks and the risks imposed by being an entity in the real world (with other entities pursuing their goals), we would be at a loss to implement technical controls that align with our goals and the risks that come with any goal-directed action.
The Missing Blueprint
The NIST CSF provides the guidance and blueprint that so many organizations are lacking. To get to any destination, you first must know where you are. This is why identifying your resources is so vital; these are the required armaments needed for engaging with the digital world. With asset intelligence, we get a strong baseline for what is. We can add the contextual variables from the business environment and our governance standards to get a starting point that says, “All things being equal, this is what should happen”. But the second law of thermodynamics will necessarily remind us that entropy will drag us from order to disorder. This immutable law of the universe demands that we assess our risks relative to our strategic aims and play the counterfactual game of what could happen when we fiddle with the variables on our strategic quest.
With all this in place, we will succeed with the Identify pillar of NIST CSF. Start with what you have, orient yourself within your business context, establish what should happen, factor in the risks of this uncertain real world, and align your risk appetite with your ultimate goal.
Editor’s Note: To learn more about the NIST Cybersecurity Framework and how to use it for improved security, join the webinar Nailing it! 5 Ways to Win with the NIST Cybersecurity Framework. Josh will be joined by Forrester analyst, Renee Murphy.