#96 - The 9 Cs of Cyber
Ahoy! and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader. My name is G. Mark Hardy, and today we’re going to -- talk like a pirate. ARRR As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates. On today’s episode we are going to talk about the 9 Cs of Cyber Security. Note these are not the 9 Seas that you might find today, the 19th of September, which happens to be the 20th annual International Talk like a Pirate Day. They are the nine words that begin with the letter C (but not the letter ARRR): Controls, Compliance, Continuity, Coverage, Complexity, Competency, Communication, Convenience, Consistency. Please note that this talk is inspired by an article by Mark Wojtasiak from Vectra, but we have modified the content to be more aligned with our thoughts at CISO Tradecraft. Now before we go into the 9 Cs, it’s important to understand that the 9 Cs represent three equal groups of three. Be sure to look at the show notes which will link to our CISO Tradecraft website that shows a 9-box picture which should make this easier to understand. But if you're listening, imagine a three-by-three grid where each row corresponds to a different stakeholder. Each stakeholder is going to be concerned with different things, and by identifying three important priorities for each, we have our grid. Make sense? Okay, let's dig in. The first row in our grid is the focus of Executive Leaders. First, this group of executives such as the CEO, CIO, and CISO ensure that the IT controls and objectives are working as desired. Next, these executives want attestations and audits to ensure that compliance is being achieved and the organization is not just paying lip service to those requirements. Thirdly, they also want business continuity. IT systems must be constantly available despite attacks from ransomware, hardware failures, and power outages. The second row in our grid is the focus of Software Development shops. This group consists of Architects, Developers, Engineers, and Administrators. First, they need to ensure they understand the Coverage of their IT systems in asset inventories -- can we account for all hardware and software. Next, developers should be concerned with how Complexity in their environment can reduce security, as these tend to work at cross-purposes. Lastly, developers care about Competency of their teams to build software correctly; that competency is a key predictor of the end quality of what is ultimately produced. The third and final row in our grid is the focus of Security Operations Centers. This group consists of Incident Handlers and Responders, Threat Intelligence Teams, and Business Information System Officers commonly known as BISOs. They need to provide clear communication that informs others what they need to do, they need processes and tools that enable convenience so as to reduce friction. Finally, they need to be consistent. No one wants a fire department that only shows up 25% of the time. So now that we have a high-level overview of the 9 C’s let’s start going into detail on each one of them. We'll start with the focus of executive leaders. Again, that is controls, compliance, and continuity. Controls- According to James Hall's book on Accounting Information Systems[i], General Computer Controls are "specific activities performed by persons or systems designed to ensure that business objectives are met." Three common control frameworks that we see inside of organizations today are COBIT, COSO, and ITIL. COBIT®, which stands for The Control Objectives for Information Technology was built by the IT Governance Institute and the Information Systems Audit and Controls Organization, better known as ISACA®. COBIT® is primarily focused on IT compliance, audit issues, and IT service, which should not be a surp