How do you pace yourself? Slow and steady? Intense sprints with mini-breaks? Crazy fast like Tyler Andrews, the person who ran the 61km Salkantay Inca Trail in a FKT (fastest known time) of 6:13:03? We all perform at a different pace. My summer group hikes invariably start in a kind of peloton that then stretches out into clusters of like-gaited individuals, all intent on reaching a common destination—or at least enjoying exercise—and all settling into their preferred rhythm.
Pace comes into play with respect to how work teams adapt to, and adopt, practices to manage risk. External factors influencing pace include the legal/regulatory environment, attacks experienced by the organization or within the industry subsector, or client mission and requirements. Internal influencing factors include cultural characteristics, budgetary constraints, resource capacity, even risk appetite (paranoid, prudent, permissive, promiscuous—or perhaps perplexed, paralyzed). In an interview with Andrews, the modern-day chasqui (roadrunner) explained that he paced the trail by visualizing it in chunks: looking through the next set of steps, rather than the whole staircase. (His route featured 10,100 ft. of elevation gain—the equivalent of about three typical 14er hikes). Not that setting cybersecurity speed records is something I’d advocate, but breaking up the journey into a series of focused activities is. Reaching milestones creates organizational momentum, which is key for building sustainable security habits and mindset.
In addition to building momentum, setting a good pace means controlling momentum and adapting to changing conditions. In motorsports, the pace car’s function is to “get the field under control, so the cleanup process . . . can start,” according to NASCAR pace car driver Brett Bodine. “Once we do that, we report back to the race control the condition of the track, so [they know] what kind of equipment they might need to dispatch to do the cleanup. And then once that cleanup process is done, we basically sign off on the race track that it’s ready to go race.” [1] This is similar to decisions that security team leads make when planning and executing a security plan, for example, to implement the NIST 800-171 security control objectives. The desired outcome is safer track (or business environment) conditions; the ways in which control objectives are satisfied will vary according to organizational context.
Control Family Approach
One way to approach the 110 control objectives in NIST 800-171 is through its 14 control families. There can be a comforting familiarity to working from the first control (3.1.1)—and the beginning of the alphabetized family clusters (access control)—through the last control (3.14.7) at the end of the alphabet (system & information integrity). Checking the controls off one by one will get you there, but is that the optimal pace for your organization? Will it promote well-integrated outcomes that align with business mission and strategy?
Control Mechanism Approach
Another approach is to analyze the 110 controls according to the type of control mechanism or corrective treatment recommended: technical or nontechnical, broadly stated. A robust security posture relies on a well-orchestrated balance of people, processes/policy, and technology. Each type of mechanism has associated pros and cons:
People. You can trust and train your people to do all the right things with respect to not falling prey to social engineering schemes, but this will not prevent system failure due to an ineffective backup procedure or an automated process launched through a trading partner’s ordering system to which your system is connected. (Target’s breach in 2013 exposed up to 70 million customer records when an attacker pivoted through an underprotected HVAC supplier’s system.)
Processes/Policies. Your efforts to deploy password complexity and expiry requirements—or deny network access to nonregistered (rogue) devices or individuals—can be enhanced through enforcement via technical tools and user training. Policies and procedures that are unrealistic, contradictory, not understood/accepted, or unenforceable become stumbling blocks to progress. Approximately 24% of the 110 NIST 800-171 security control objectives can be addressed most directly through administrative mechanisms: standards, policies, and procedures.
Technology. Technical fixes for securing workstations and laptops connected to the network can be neutralized when an individual connects casually to a hotel hotspot, shares a password with a family member, or deliberately sabotages your FedRAMP-certified cloud presence. [2] (The recent Capital One breach of more than 106 million client records illustrates, sadly, how vulnerable even consistent security efforts [3] can be.)
Clearly, a balanced approach that leverages the protective characteristics of diverse mechanisms is necessary. Looking at how two significant customers of the defense industrial base (the Department of Defense or DoD; the Defense Missile Agency or DMA) prioritize risks and corrective measures (like those in your plan of action and milestones or POAM—you have one, right?) can help an organization determine how to pace its security program. Both DoD and DMA have implicitly recommended approximately 20% of the control objectives as good starting places:
DoD Approach. The DoD has classified control objectives according to general risk and impact. The table attached to this article is colorized to show the 24 control objectives (21.8% of the 110) associated with the most severe/extreme risk levels (red) and the high risk levels (amber). The control family represented most frequently is access control (AC), followed by configuration management (CM), then the identification and authentication (IA) control family—which is closely related to access control. The figure summarizes the DoD guidance published 6 November 2018, [4] and is based in part on comments from the draft version released earlier in 2018.
DMA Approach. The DMA has identified 23 control objectives (20.9% of the 110) for recommendation as best practices for reducing exposure to spear phishing, credential harvesting, and unsecure perimeter infrastructure. The attached table indicates those control objectives, of which seven are within the access control family. The DMA approach further breaks down these recommended practices according to whether they are more frequently addressed by technical or nontechnical mechanisms.
Compensating Control Mechanisms and PACE
Compensating control measures may have to be adapted (adopted) by organizations to maintain security project momentum. In some respects, achieving a given security “condition” is more appropriately measured by a wave—the direction of organizational behavior—than by a point or score. As such, reference to another type of pace might be useful: the PACE model used by combat units for communications:
Primary—the best and intended method of communication between parties.
Alternate—another common but less-optimal method of accomplishing the task. Often monitored concurrently with primary means.
Contingency—method will not be as fast/easy/inexpensive/convenient as the first two methods but is capable of accomplishing the task. Often (but undesirably) the receiver rarely monitors this method.
Emergency— method of last resort and typically has significant delays, costs, and/or impacts. Often only monitored when the other means fail. [5]
Similar to the way in which communication channel choices are made when the optimal channel is unavailable or impractical, organizations can make choices about how to identify and protect high-value assets and resources—and detect, respond to, and recover from activities that compromise their confidentiality, integrity, and availability. These are the desired outcomes from a security program. The pace at which, and the means by which, they are achieved will vary by organization. To put it in personal communications terms, although I prefer to visit with my grandchildren in Virginia while seated at their kitchen table, I will opt for a Facetime connection from my backyard in Colorado. The desired outcome—communication and connection—are still achieved; meanwhile my contextual constraints (the inability to tesseract, for example) are accommodated.
Next Steps to Find Your Organizational Pace: COODA [6]
Commit to pursuing a security program.
Observe the organization’s current risk condition. This will include discovery sessions with data and process owners to understand where information assets reside, how they are used, and what controls are possible.
Orient to the organization’s business strategy, mission, supply chain posture, and customer needs.
Decide on a plan of action and milestones (POAM), using guidance from NIST and DoD resources. (Some especially useful guides, from my perspective, are listed here. [7] NIST’s “Small Business Cybersecurity Corner https://www.nist.gov/itl/smallbusinesscyber is an information platform.)
Act on your plan at a pace that will improve your security posture in a consistent, sustainable, reasonable, and demonstrable way.
Good luck!
©2019 Manufacturer’s Edge
[1]https://ftw.usatoday.com/2017/02/nascar-monster-energy-nascar-cup-series-daytona-500-daytona-international-speedway-pace-car-chevrolet
[2]https://start.jcolemorrison.com/the-technical-side-of-the-capital-one-aws-security-breach/
[3]https://aws.amazon.com/solutions/case-studies/innovators/capital-one/
[4]https://www.acq.osd.mil/dpap/pdi/cyber/docs/DoD%20Guidance%20for%20Reviewing%20System%20Security%20Plans%20and%20the%20NIST%20SP%20800%2011-6-2018.pdf
[5]https://en.wikipedia.org/wiki/PACE_-_Communication_Plan
[6]With apologies to USAF Colonel John Boyd for adding “C” to his OODA loop model for making decisions.
[7]https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171a.pdf
https://www.acq.osd.mil/dpap/pdi/cyber/docs/DoD%20Guidance%20for%20Reviewing%20System%20Security%20Plans%20and%20the%20NIST%20SP%20800%2011-6-2018.pdf
https://www.oversight.gov/sites/default/files/oig-reports/DODIG-2018-094.pdf (see General Greaves memo, beginning page 53)