The ONE thing that makes a Great Cybersecurity Professional
What I learned after becoming an ISSAP®
I just passed the exam of ISSAP® - Information Systems Security Architecture Professional from (ISC)2®. It was one of the most challenging exams I took in my life. All the answers to the multiple choices are correct, but it is required to choose the best answer in most cases. I checked the member count from the official website. There are 25 active holders in Hong Kong and 2061 worldwide.
Significant in Cybersecurity = Nothing Happens.
Let's talk about what it is like to become a security professional. Ten years ago, when I was studying for my Master of Computer Forensics, the professor once said, "The best security happened when nothing happened." It was only a funny sentence at that moment, but it is wisdom when I looked back now.
If everything is working according to plan, there would be no security outbreak. Security professionals, ideally, should not be handling security incidents all day. What is more important should be security planning and design. That is the process of allocating resources such as time and people to maximize visibility.
What is different between IT and Cybersecurity is not the technical know-how or the certifications. The key is the problem that we are trying to solve is different.
What is the most frightening thing about a human being?
You can try to answer it by thinking about scary movies. The one thing that is in common is the unexpected or unknown ghost/ monster or sudden death of the character. We, as a human, do not what we do not know - the unknown. That is what we truly afraid of.
In a security professional's daily life, our primary goal is not to make sure everything is running as expected but to make sure the unexpected or unknown are minimized or mitigated. When everything is considered and handled, IT should be happy and business as usual - Nothing happens.
The Basics Concepts - Pillars
Security is more of a concept than technical knowledge. I always tell my colleagues. Nothing is more important than thinking with a security mindset. My sole purpose of training in every webinars/ events is to promote these concepts down to different users, not just technical people.
Interestingly, all concepts are combined from the elements of three. Each of them contains three pillars considering the same subject. In this article, I would like to walk through the core of the core from a Cybersecurity perspective.
1# CIA - Confidentiality, Integrity, Availability
CIA triad is what we called the "Chapter One" of Information Security. According to the NIST Special Publication 800–12:
information security was defined as protecting information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide Confidentiality, Integrity, and Availability. The careful implementation of information security controls is vital to protecting an organization's information assets and its reputation, legal position, personnel, and other tangible or intangible assets.
Protecting the organization's assets is the ultimate goal of information security, including tangible and intangible assets.
Confidentiality - data, objects, and resources are protected from unauthorized viewing and other access.
Integrity - data is protected from unauthorized changes to ensure that it is reliable and correct.
Availability - authorized users have access to the systems and the resources they need.
Confidentiality often conflicts with Integrity and Availability, and also for the other two. For example, data availability is decreased when data encryption is in place, but confidentiality and Integrity are enhanced. It is always vital for a security professional to balance all three aspects of any information system design.
2# DiD - Defense in Depth (Layered Approach)
Defense in Depth is the idea of having multiple security measures implemented in layers to protect assets and information. If one measure failed, the next one is in place to counter the attacks. This multi-layered method with intentional redundancies strengthens the Security of a design as a whole and addresses diverse attack vectors.
The goal of a DiD design is to delay the attack as long as possible. If the attack time is too long, the enemy would change the target or eventually give up.
We usually use Castle Defense as an analogy of this concept. Soldiers are deployed in different teams with physical defense systems like towers, bridges, and walls built in order. Enemies are required to defeat all the defenses to gain access to the palace.
3# PPT - People, Process, Technology
PPT is a framework, not only for Security but in modernized business processes. The PPT framework has been around since the early 1960s. Business management expert Harold Leavitt developed his model for creating change in an organization in a paper with the title "Applied Organization Change in Industry."
People - People can develop skills. Some people already obtained their skills. Security Professionals with technical expertise can think through the risks impacting the systems. People without skills can also be trained or learned if required. (The Blacksmith)
Process - The defined, repeatable, and improvable steps you document and train on to perform a function. Processes can drive the effectiveness and success of the security program. They are often one of the critical assets we review when implementing an information security program. (The making of the heating meal and forging)
Technology - Tools used to achieve, speed up, or develop the impact of the security goals. The investment of tools allows more incredible speed, profit, efficiency, and use of resources. Companies focus heavily on technical means as the specification of tools is easy to measure and understand by management. The effectiveness of security tools can seldom be measured by their return on investment (ROI). (The hammer)
PPT are three separate areas of resources. Each of them should be considered when developing a security program. As one of the least considered or invested pillars, people would be the weakest link.
4# PDC - Preventive, Detective, and Corrective Methodology
Internal controls are separated into three: detective, corrective, or preventive controls. From Security Perspective, they can be explained by when is the control takes place concerning an attack.
BEFORE - Preventive controls are designed to keep attacks from occurring in the first place. Controls may be automated, manual, or hybrid.
DURING - Detective controls are designed to detect attacks that may have occurred.
AFTER - On the other hand, correct controls are designed to correct attacks that have been detected.
PDC concepts are not just used in Security but also widely in audit and risk assessment. The PDC framework is often used in conjunction with the DiD methodology and forms a Matrix of Controls to map with different layers.
An excellent security professional should consider the cost and benefits by using these pillars to use all the factors and prioritize the options with valid reasons in very stressful and limited time. Without this mindset, it is impossible to provide valuable advice or actions regarding security postures.
I think it is all for now, as I already introduced the essential concepts in Cybersecurity and those are:
- CIA triad - Confidentiality, Integrity, and Availability
- DiD Approach - Defense-in-Depth
- PPT framework - People, Process, Technology
- PDC Methodology - Prevent Detect Correct
With all four of them in mind when considering Security, it would be a great way to learn and understand any prospects' challenges and limitations now and in the future.
Happy reading and learning Cybersecurity.