There are various dictionary and professional definitions of principles. I prefer the definition that principles are values guiding behaviors and actions. As cybersecurity practitioners, having a clearly defined set of principles to determine what you do and how you do it is essential to getting the job done, and doing so ethically, professionally and competently.
By Dr Mike Brass, CISSP
I am as a long-standing academic with a Ph.D. from the social sciences, as well as a practicing security practitioner, leveraging my personal and professional cross-disciplinary knowledge and approaches. When I started to write this article, I took inspiration from a challenge by Dr Richard Diston to write down one’s own principles of being a practitioner. Similarly, Dr Mansur Hasib’s books (Bring Inner Greatness Out and Cybersecurity Leadership) also go into many non-technical principles. It was a challenge in which I saw value. I wrote down what I regard to be the nine foundational principles of security which I have used and evolved in my 23 years in IT and information security, and the article is these latter principles..
Your mind may go immediately to either the CIA Triad or the ISC2 Code of Ethics. This would be a serious mistake and should invite an introspection. The CIA Triad is dated; its origins and value lay in technical operations. The Code of Ethics is a framework of ethical behavior. The CISSP certification is also different. It is about security assurance concepts and broader cybersecurity leadership. This is why courses like the CISSP and CISM benefit from being supplemented with additional security leadership training to drill down on specific focuses.
What do we mean when we talk about the meaning of the term principles. The Cambridge Dictionary defines it as a basic idea of rule that explains or controls how something happens or works. The Collins English Dictionary alternatively defines it as an accepted or professed rule of action or conduct. I prefer the definitions that principles are values guiding behaviors and actions. These nine principles are not confined to security practitioners engaged in governance activities. They can and should be leveraged by every security practitioner.
- Integrity and Knowledge
- Impact on objectives
- Education and Capability
- Trusted Advisor: Audience
- Trusted Advisor: Clarification
- Data Minimization
- Focus On Objectives and Outcomes
- Move Beyond Security Metrics
Personal and professional integrity is more than setting boundaries, being friendly and approachable. As much as possible, as humans as fallible, avoid coercion and harmful behaviors. If necessary, you must be prepared to walk away from a situation or company where it becomes untenable.
Likewise, you must get to know the entire organization. You must understand it holistically and this means meeting with personnel from all strata and departments around the organization. You need to be asking the right questions to get good comprehensive answers. It comes down to the ability to influence and the context in which decisions are made. One of the best ways to start and to assist with getting to know the company is to construct and maintain a Business Canvass Model. This will enable you to understand the company strategy or department strategies, key activities, partners, value propositions, customer segments, channels, financial and regulatory environments which you can supplement with understanding the company culture. Integrate these within any existing risk management.
This is about knowing the objectives and priorities of the company. There needs to be a mindset shift from “protect the assets” to reducing the impact of adverse behaviors on the value creation processes of the business. Different businesses, competitors, regulators, insurers and other entities place contrasting values on assets and these values are continually shifting. Each department within a company has its own strategy to meet the targets set by leadership and to comply with the overarching board strategy. We must reduce the potential impact of unwanted behavior on the processes being followed to achieve those objectives to make money for the company. Therefore, protection at the asset level becomes tactical.
There is a never-ending debate about university education, certifications and free resources. At its heart is a battle on how to bring through the next generation of practitioners and what is the vision for the future. Information security or cybersecurity aspires to be a profession like engineering or accountancy. Efforts are underway in various countries to attempt to introduce formal qualifications, recognition and tiers. However, these efforts have some way to go. While these maneuvers play out, there has to be a recognition of the value of properly vetted training resources. A community of professionals can only be built when the foundations are solid. The benefits of university education are well known but this is about building up both intellectual and practical capabilities within your company.
This is more practical. It is about knowing your audience. Set expectations and define your conditions for access via policies in align with the overarching business strategy and business security strategy. Remember, simply holding ISO 27001 is not a business security strategy on its own.
There may be times where it is appropriate to say, “I do not know” but you must make sure that you either do know or quickly find out. Lying or attempting to fudge an issue is unacceptable. Therefore, you must bring clarity to your own thinking and knowledge bank as much as to your company’s.
This involves ensuring that the least amount of systems are run to reduce complexity in your environment while ensuring that staff can maximize their productivity using all the tools they require. This is part of streamlining processes to become as efficient as possible, creating value for the business through cost and productivity optimization and reducing attack surfaces.
This point in particular is explicitly and/or implicitly one of the bedrocks of the security industry, which is no surprise as it is the basis of virtually all work in the social sciences which we turn to when wanting to understand behavioral patterns, context and their diverse manifestations not just within countries but also between countries and continents. It feeds into many of the technological products out there looking for errant behavioral patterns in network activity. It is therefore no surprise to see it part of Diston’s 12 principles. Certain behaviors can have an adverse impact on the value creation processes and it is our duty as practitioners to have a solid handle on what form these external and internal behaviors take.
These behaviors can destroy, deny, devalue or degrade our capabilities. This goes beyond traditional risk management which attempts to quantify risk without sometimes adequately accounting for sociology. This means keeping an informed, watchful eye on the ever-evolving environment and making necessary adjustments. It starts at the governance level.
While it feels very nice to present a metric which says “we have prevented x number of attacks this month”, it is hard to take credit for what has not yet happened or not yet detected. Proportionate responses to enhance and protect value creation processes must be developed and maintained. As previously mentioned, a good place to start is drawing up a Business Canvass Model. One output can be designing a security playbook for your pre-sales, sales or service delivery teams. This includes them being able to field increasing requests from perspective clients about the security posture and practices of your company. Help your company win business. Demonstrate real security value through proactive protective and enhancement services.
There are instances where metrics are absolutely necessary, but metrics by themselves do not demonstrate that your company is secure. Metrics assist in compliance, which isn’t the same as security. Metrics can help direct resources but be mindful on how people may misjudge the inputs to the metrics.
From my perspective, these principles move practitioners beyond the technical and into the strategic. Following them forces practitioners to look inwards on themselves and on their teams to ensure professionalism is always maintained, that their integrity is beyond reproach and that the framework in which they operate is designed with the best outcomes for company in mind.
Dr Mike Brass, CISSP, CISM, CRISC, MBCS is Vice President of Information Security, Data Privacy and Business Systems at Ubisense.