I am a subscriber to the NIST cyber security framework school of thought. Even though it is officially called the “Framework for Improving Critical Infrastructure Cybersecurity” it isn’t just about securing critical infrastructure, it really is applicable to every organization, industry and geography. Every organization has cyber assets that are critical to the business, and if they don’t – they are building those assets quickly through a digitalization initiative or slowly going out of business.
NIST’s strong point is that it takes an organizational and risk centric view of cyber defense as opposed to an attack centric view. The NIST framework is a set of categories with an implicit flow – starting at Identify. Each category builds on the information and processes from the previous category (there is also a feedback loop that isn’t depicted).
The NIST framework divides into proactive security (identify and protect) and reactive security (detect, respond, recover). I spend a lot of time with cyber security startups and lately I am hearing startups emphasizing the reactive part.
If you dig a little beneath that you find they assume companies have already made a large investment in “protect” and are pretty well defended. Then the next logical step is to bolster their layered defenses to protect themselves against the small number of attacks that do get through. In that context it makes sense – if you already have a strong “protect” stance then it makes sense that next thing on your list should be bolstering your reactive cyber defense capability – and making sure you have the people, processes and tools in place to detect and respond as quickly as possible. That logic holds for the few companies that are really at the forefront of cyber defense
For the other 99% of the world – they need to first focus on identify and protect, as laid out by the NIST cyber security framework. Really it is simple logic – put the tools and processes in place to identify and decide what you need to protect (and how much) and then put the appropriate protection (tools and processes) in place.
The same is true for a cyber platform – it needs to first focus on active security, and build on that to as a basis for reactive security.