Building your Cyber Security Program: The Cyber Security Triangle

Visualization is a critical component of an effective cyber security strategy. The easier it is to form a mental image of how each part dovetails with the other, the more effective and comprehensive the resulting framework will be.

Previously, we discussed the hierarchy of cyber security needs via the cyber security pyramid, along with the various lenses through which to view a cyber security program (controls, risk and maturity) – also, how to cover multiple controls focuses with an even spread on the tangibility-abstraction matrix.

We have almost everything we need to build an effective program. The only part missing is the cyber security triangle, our final visualization tool.

Practice, Regulations and Strategy

The cyber security triangle represents everything about the cyber security program – from where it is now and where the organization wants it to be, to the program requirements mandated by regulatory bodies and the strategic planning and tactical initiatives that drive cyber security decision making on route to maturity.

The triangle represents every control, every law, every risk decision and every improvement. Without representation from all three sides, the program is incomplete.

Practice

This side of the triangle is all about the delta between the current and desired state of the organization’s cyber security program.

There are several different assessments the business can conduct to gauge where it’s at right now. These can be done in piecemeal or all at once.

Controls Assessment: Generally, this includes a cyber security audit or self-assessment against one of numerous different cyber security frameworks.

Risk Assessment: This involves identifying potential cyber security threats based on industry, technology, size, organizational and cyber security structure and overall risk tolerance.

Maturity Assessment: This determines the effectiveness of controls – considering both the technology and human factors – and decision-making ability.

The desired state is, by definition, more subjective. It could be determined using a controls-based focus (e.g. alignment with compliance frameworks), a risk-based focus or a maturity-based focus – though it should be a combination of all three. What’s imperative is having a clear and documented plan of where the organization wants the cyber security program to trend towards, how it plans to get there and having repeatable tests to measure progress.

Regulations

Every region and industry mandates specific – and increasingly stringent – laws, regulations and compliance regimes organizations must follow to do business in their jurisdiction. These are generally straightforward and, considering the potential consequences, should be non-negotiable.

Some common examples include:

General Data Protection Regulation (GDPR) – Applicable to organizations who collect personal information on European citizens.

Personal Information Protection and Electronic Documents Act (PIPEDA) – Applicable to organizations who collect personal information on Canadian citizens.

Payment Card Industry Data Security Standard (PCI-DSS) – Applicable to organizations who accept Visa, MasterCard or American Express to take payment, conduct credit checks or as identification.

Unfortunately, many businesses have yet to align their cyber security program with the applicable legislation or frameworks. Even in the case of security ‘norms’ where certification of compliance is not mandatory, it’s important to consider the potential consequences of bucking the trend. Being labelled deficient and incongruent to best practices could have significant and lasting reputational consequences. 

Strategy

The last part of the cyber security triangle is also the most important.

Governed by risk and directed by maturity, strategy and tactics are the foundation the entire program rests on – and what ultimately dictates the speed and direction the other two sides will improve.

Risks are critical objectives. Failing to address these could significantly impact profitability, stock price and the ability to function or recover in the event of a breach.

Maturity goals are aspirational objectives which define how an organization will improve their overall cyber security posture. Full maturity is the desired state where an organization no longer needs to invest in scaling their program.

These complimentary variables exist in a continuous feedback loop. Each risk-based improvement will expose a maturity weakness (i.e. the ability to measure the solution’s effectiveness or the precision thereof). And, conversely, each maturity-based improvement will feed directly back into risk management. The practice of strategy and tactics is to pursue balance in this system.

Tomorrow’s technology is shaping business today. To learn more about how MNP can help you build an effective cyber security strategy, contact Jason Murray at 647.333.6241 or [email protected]