Cybersecurity: Functions (Part 4)

Protect.

This function, protection, is perhaps the most common function associated with cybersecurity. When speaking about the CIA triad, the day-to-day functions, and the purposes of cybersecurity, the first function most people think about is the protection of identities, data, and assets. As we’ve seen in the previous posts about cybersecurity functions, there are many additional functions, and we cannot begin to protect without them adequately and appropriately applying the other functions. Protection is a byproduct of other functions. Let’s take a deeper dive into this.

Protection is a byproduct of other functions.

Trying to protect something is futile when you do not know what to protect or what threats you face (Identify). It is equally futile to expend time, energy, and money when you do not know the objective or requirements for that protection (Govern). Without these, we could cause interruption to the business by being overbearing in our protections (deny-all) or inadvertently lax in where we place these protections (treating dev as less critical than production). Yet, all too often, cybersecurity teams interrupt progress within the business because the actions to protect are not well-defined and misaligned.

The fundamental role of cybersecurity in an organization is to enable the functions of the business and its systems while ensuring proper and adequate security. This is accomplished through managing risk. Risk is defined, and acceptable risk is outlined through governance. Protection aims to use safeguards to prevent or reduce cybersecurity risk. This function is not separate from the other functions. Instead, it is a subcategory that controls risk.

Still, the most common view of cybersecurity comes from the actions and controls employed using the protect function. Protect is where cybersecurity performs its daily tasks, implementing and executing upon the established laws, regulations, policies, standards, and guidelines. This function implements the tools and techniques to implement Zero-Trust Architecture.

Referring to the discussion draft of the NIST Cybersecurity Framework 2.0, protection includes (1) identity management, authentication, and access control; (2) awareness and training; (3) data security; (4) platform security; and (5) technology infrastructure resilience. Aligning to zero-trust architecture, the new border of an organization and permit for trust is the identity. We can implement all the technical controls in the industry and still be breached because users (humans) mishandle the protections of their cyber identity and data. This is why awareness and training receive greater emphasis than ever before. While we must still protect some network borders and the systems that applications run on and identities interact with (platform security), the real asset being protected is the data (data security). While we would desire never to have an incident, we must presume a breach will occur, systems will fail, and we must be resilient enough to maintain business function despite these. Additionally, we must maintain our infrastructure with updates, backups, and timely scheduled refreshes (technology infrastructure resilience).   

This list of activities to protect varies tremendously based on the risk factors, the size and nature of the business, where and how technology is implemented, the skillset and knowledge of the professional, and available budgets. A tool I frequently recommend to my peers to assist in understanding what activities align with the cybersecurity framework and each function is CSF Tools (version 2.0 is also available).

Cybersecurity requires understanding an organization’s mission, vision, and strategy and applying this understanding to create a secure environment to succeed.

Cybersecurity Functions (Part 1) – Cyber Muster

As professionals, protection is where we spend most of our time. This is where we physically enable our organizations. Misapplied, the protect function is also where cybersecurity creates the most friction in an organization and earns a negative perception. As skilled and knowledgeable professionals, we must acknowledge that this function is futile without being able to objectively, repeatably, quantifiably, and qualitatively establish risk (govern) and what we are protecting (identity). To do this, we must operate from the proper foundations.

Before proceeding to the subcategory of protect, ensure “first things first”; read and understand your organizational governance. Once covered, identify the risk with risk assessments and threat modeling. Know your organization. If you are beginning anew within an organization, take the time to set up the governance first. As we see with recent rulings from the new SEC regulations proposal, cybersecurity is foundational to the success of an organization and the emphasis of this is only growing stronger. It all begins with the governance. From there, we identify what to protect and why; then, we use protection to fulfill the requirements and mitigate, transfer, or accept risk. If you can get this right, you are already on your way to correctly applying the protect function.