December 7, 2015

Adding Intelligence, Pt. 1: To Standardize, You Must First Understand

In my previous post (“Visibility, Visibility, Visibility”) I talked about the foundational and essential nature of visibility to doing proper information security. The basic idea is that you have to be able to see everything that goes on with your information assets to make well-informed, risk-based decisions about how to act. And since the InfoSec landscape has changed so significantly with the realization that breaches are now about when rather than if, visibility is all the more critical. Ignorance can no longer be considered a viable strategy for dealing with risk, if it ever was before.

So, where I left you last time was with the realization that once you attain visibility, you may well be drowning in data. Indeed, information security now finds itself with a big data problem. That problem, though, pales in comparison to where many InfoSec professionals meet their Waterloo: contextualizing that mountain of data in terms of their own business. There are a plethora of technologies that can help you find anomalous activity, correlate logs and events, and search through mountains of log data. What technology cannot do is help you understand and make decisions about what matters to your company, and what constitutes responsible action in the context of serving the needs of the business. This function, which I call “intelligence” for shorthand, is where the CISO adds tremendous value to the business.

Standardization and process automation are critical to be able to make timely decisions based on your information sources without having to execute full discovery, consult with data owners, and do individual risk analyses. Or to put it another way, supporting a standard system within a policy matrix that dictates specific controls is going to be orders of magnitude more efficient than firefighting. Few of us exist in environments where systems are standardized and controls are uniform. So how do we approach this problem?

First, recognize that the InfoSec team (or IT In general) is very rarely a data owner; in most cases, we are data custodians. We must respect the classification of data as determined by the data owner and ensure that the data has controls appropriate to manage risk effectively based on that classification. Most organizations have a data classification schema in place, but for the sake of argument assume that your data is Public, Private, or Confidential. Of equal importance is how that data is accessed. Is it only available to systems on your internal network? Is it accessed via a web application? Do only authenticated users access it? The combination of access method and data classification can give you a fine-grained determination of controls that may be appropriate to safeguard your data.

Second, look at the types of protection you could apply when you cross-reference data classification against access type. For example, if you have business critical, highly transactional systems that contain financial data but are exposed through web applications, you might want to look at application-aware firewalls, as well as a more stringent software development lifecycle, coupled with a more frequent cadence of web application vulnerability scans. These controls would likely NOT be appropriate for a web application that had posed little to no risk to the company. These controls are ultimately a way that InfoSec proposes to manage risk, based on the stated value of those assets to the business. Thus, mapping and understanding data flows within your business is critical to your success in appropriately protecting that data.

Once the controls are determined, you need to apply them uniformly to your assets. This gives you a key element to tune your information gathering, as well as predictable outputs when that information indicates that anomalous activity is occurring. And if the business determines that the criticality of an asset changes, you can adjust the applicable controls, which will in turn have an impact on your information gathering and your reactions to any incident. In essence, you are standardizing the behavior of how you build, operate, manage and protect assets based on their value to the business. If this seems simple, even obvious, it should. And yet nearly nobody is doing this, or at least nobody is doing this very well.

Next up: Adding Intelligence Pt. 2—Measuring For Response

Joshua Brown
Chief Information Security Officer | Advisory Board Member | Author | Mentor | 2X Top Global CISO

Don't miss these stories:

January 21, 2025
The Real (Business) Value of Cybersecurity

Cybersecurity done right is a business enabler, not a hindrance. By focusing on five key areas, you can position your cybersecurity program to drive business differentiation, collaboration, and better business outcomes.

January 9, 2025
Great Leaders Must Develop Emotional Intelligence

Emotional intelligence (EQ) is not a soft skill--it's the hardest skill for leaders to develop. Without it, you may be a boss, but you won't ever be a leader. To create great outcomes, you need to inspire and elevate those around you. Here are some areas to focus on as you develop and mature your own EQ.

December 27, 2024
Building High-Performing Teams: The Foundations of Trust, Clarity, and Collaboration

High-performing teams don’t happen by accident—they’re intentionally cultivated. By establishing clear expectations, fostering trust, empowering team members, and prioritizing collaboration, leaders can create a culture where teams thrive. This blog explores actionable steps and strategies to help you build a high-performance culture that drives meaningful outcomes.

HomeAboutSERVICESBLOGCONTACT

Copyright ©2025 Digital Defense Consulting