In a previous blog post, I wrote about the EASY Framework — my framework for operationalizing threat intelligence. Personally, I’ve applied it to different aspects of cybersecurity and technology.
Allow me to explain. I’ve spent my entire career in the intelligence field. I even had my own consulting firm for a few years, where all I did was build threat intelligence capabilities. After a while, I found myself repeating the same advice over and over again. I began to wonder, “Wouldn’t it be great to have a button that someone could press to guide them to building a high functioning threat intelligence program?” And from that question, the EASY Framework for threat intelligence was born.
Then, one day I was asked, “What does a CEO need to consider when it comes to cybersecurity?” Sitting there, in my mind's closet, covered by a thin layer of dust, was my EASY Framework. But, I knew I had to reimagine it a bit to make it more applicable for the business leader who may know very little about cybersecurity.
We know that the EASY Framework is a very simple and practical guide for intelligence, but how does it change for the business leader? Much of it stays the same, aside for some shifts in perspective and one different tenet. Without further ado, this is how to leverage cybersecurity for the business — the EASY way.
Elicit Requirements
Requirements are the foundation for any service, program, or initiative. For the business leader, the question is simple: “What does this cybersecurity program need to help protect the business?” The organization could have valuable data to maintain, such as client/customer data or proprietary information. There could be business operations that, if degraded or disrupted, could cost the organization revenue. This could simply be the company’s website that must remain available during the launch of a new product.
These are examples of critical assets that must be protected. Once you know what you want to protect, you’ll need to gauge the visibility of the internal and external environment.
Assess Resources
For threat intelligence, this pillar was about threat feeds and other data for analysis. For a security program, though, this pillar is more complex. The threat feeds still apply for a security program, since one must have an idea of the threats your organization and industry face. But in a business context, one must also understand the data that surrounds the critical assets discovered in the first pillar.
This data can include types of logs, records, and other metrics for security analysis and health checks. But this process can be harder than it sounds. Figuring out what data you have, gathering the data in an automated way, storing the data, and enabling analysis is a tough but valuable journey to undertake.
One of the great things about being a leader is also growing the team. What team members do I need to grow or hire to execute this mission? Once you understand this pillar to some degree, it’s time to have fun with impact.
Strive for Impact
I may be biased, but I believe that security is the ultimate business enabler. One of my favorite analogies to use is the Formula One analogy. Think of the driver as the business leader. The car? That’s the business. The pit crew? That’s your cybersecurity team monitoring the gauges and health of the car to inform the driver how hard and fast they can push the car.
Security enables the car to move fast as safely as possible. The security team should be thought of in this light. This is the impact we are looking for.
Yield to Feedback
Feedback is a gift. It’s the best way to iteratively improve your program. If you’re receiving constructive feedback about the security program or the business from a stakeholder, then you must take steps to realign. Even if the stakeholder is misguided, you should still take the time to speak with them, understand and empathize.
Some friction could simply be due to a miscommunication. Have a cup of coffee with that stakeholder and listen. Reassure them that you’re there to support their mission and have teamwork at the forefront of your mind.
I hope this framework can serve as a touchstone for any business leader thinking about the security of their organization. Whether you’re building a program or looking to optimize operations, realize that it’s a marathon — not a sprint.