Article Published: January 11, 2016
Article Published: January 11, 2016
Matthew Butkovic is a Technical Manager in the CERT Division of the Software Engineering Institute, where he performs critical infrastructure protection research and develops methods, tools, and techniques for evaluating capabilities and managing cyber risk. Butkovic is a Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA).
TEQ:So Matt, how do you define process in cybersecurity?
MB:A process is a way to organize activities that achieve an objective. Process can be applied to cybersecurity activities to focus them on the strategic objectives of the organization.
The process part of the cyber challenge, although powerful, is often ignored or underappreciated. Organizations can’t make progress by simply adding technology without having processes to guide its use. Likewise, we can’t make progress by simply hiring the best people if they aren’t following a process to keep everybody pulling in the same direction.
TEQ:Do you see lack of emphasis on process in many organizations?
MB:Yes. Process is often underfunded because management is more comfortable investing in people and technology. As technology pervades nearly every industry and many elements of our everyday lives, we have to find ways to protect ourselves from cyber threats. Process is often not an intuitive part of a typical organization’s defense against cyber threats.
TEQ:Why is this?
MB:There are, typically, two main reasons: First, Organizations don’t understand why process is important or needed. Unfortunately, many organizations buy tools and deploy them without thinking about how they should work together to meet their cybersecurity goals. However, process is the differentiator among organizations that must use and deal with technology.
Second, organizations can’t measure the results of process changes. Many executives don’t invest in process; their organization’s security practitioners cannot adequately explain the value of process to management because the security profession hasn’t been using process for long. That’s where measurement comes in. When you can measure the results of process improvement, the benefits are clear and the investment follows.
TEQ:How do processes help mitigate cyberattacks?
MB:Process provides a guiding principle for cybersecurity activity. Processes that are ingrained in how an organization operates, those that are institutionalized, are more likely to survive a disruptive event like a cyberattack. These processes continue to work in spite of the attack.
For example, a common problem organizations have is that they don’t understand which assets are valuable to how they operate. You must understand which assets are most important to operate your organization to understand how to protect your organization. If you don’t understand the connection between assets and the operation of your organization, you may not see how one system is crucial to multiple processes in the organization. So, a loss of that system could have catastrophic, far-reaching effects that could paralyze the organization completely.
TEQ:What can organizations do to improve in this area?
MB:You should see your organization as an ecosystem of related processes working together to a common end and find a way to organize your organization’s activities. You can do that using resources developed by NIST (National Institute of Standards and Technology), ISO (International Organization for Standardization), or others. Managing cybersecurity activities in a concerted way ensures that you are getting the results you need and want.
You can start improving your cybersecurity posture today by thinking about how to build process into the daily cybersecurity practices of your organization. Think about what happens when your organization is subjected to a cyberattack. What would the impact be? What systems and assets would be affected, directly and indirectly? Approach your risks proactively, not reactively. The worst time to think about cyberattacks is after they’ve disrupted your organization’s operations.
In this way, you can start to look at cybersecurity as an engineering problem. Your requirement is to protect your assets, and you need to track and measure the activities you use to do that. You don’t want to haphazardly throw activities at this requirement in an uncoordinated way. Instead, you want to create processes that work together to protect your organization that you can track and measure.
TEQ:What are CERT’s contributions to this area?
MB:The Software Engineering Institute has been a leader in applying process engineering and process discipline to software development for over 25 years. CERT has leveraged that experience to develop the CERT Resilience Management Model (CERT-RMM), our extension of SEI process experience into the cybersecurity arena.
We’ve also developed other resources, including the Cyber Resilience Review (CRR), which allows you to measure your cybersecurity posture and map what you’re doing to things like the NIST Cybersecurity Framework. We also created the CERT-RMM MIL Scale, a way to measure achievement of your cybersecurity objectives using the CERT-RMM.
TEQ:Will there be a focus on process during the CYBURGH, PA event?
MB:Yes, absolutely. The event will help organizations get on board with the power of process and learn about how process can make a huge difference in their cybersecurity posture. We in Pittsburgh can show the rest of the world how process can make the difference in protecting our organizations. I look forward to seeing you there!